Data Breach TodayArchived Jun 17, 2026✓ Full text saved
Malware Targets Banks, Crypto Platforms and Social Media Newly surfaced Android-based banking Trojan gives threat actors near-total control over infected devices, letting them steal user credentials for direct access to financial accounts, says researchers. Rokarolla tricks users into side-loading malicious versions of popular, high traffic apps.
Full text archived locally
✦ AI Summary· Claude Sonnet
Endpoint Security
Rokarolla Android Banking Trojan Enables Device Takeover
Malware Targets Banks, Crypto Platforms and Social Media
Greg Sirico • June 16, 2026
Share Post Share
Credit Eligible
Get Permission
Image: Shutterstock
A newly surfaced Android-based banking Trojan gives threat actors near-total control over infected devices, letting them steal user credentials for direct access to financial accounts, says researchers.
See Also: Airlines and Airports: Visibility Across OT, IoT, and IT
Taking after its command and control server in name alone, Rokarolla - uncovered by Zimperium's zLabs - is currently targeting hundreds, if not more, banking and cryptocurrency platforms, deploying an extensive set of capabilities that enable attackers to conduct fraud with minimal risk of detection.
Distributed through a number of malicious websites - primarily infocontablidades.it.com - Rokarolla tricks users into side-loading malicious versions of popular, high traffic apps such as TikTok and Google Chrome. The malware targets 217 crypto and banking apps, executing a collection of roughly 137 commands to gain administrative access and control over infected devices.
According to research from zLabs, Rokarolla is capable of "harvesting lock screen credentials, exfiltrating sensitive contact lists and SMS data, and utilizing keyloggers to continuously record user input." It can block incoming calls from financial platforms or banks, use fake screen overlays and silence device audio to conceal malicious traffic.
Researchers also observed Rokarolla deactivating Google Play Protect controls, Android's built-in malware defense system, which automatically scans user devices daily to distinguish personal data from malicious threats.
Rokarolla's ability to intercept SMS messages and one-time passwords raises the stakes for successful device takeover attempts. The Trojan can "silently capture user keystrokes and harvest on-screen content," compressing "screenshots of the victim’s device" to exfiltrate useful data.
By intercepting SMS authentication codes and call blocking, Rokarolla disrupts the fraud prevention playbook for defenders and cuts off users from reporting suspicious activity.
"Rokarolla targets an expansive ecosystem of over 200 financial, cryptocurrency and social media applications. By employing sophisticated evasion tactics, these threats are specifically engineered to circumvent legacy, signature-based mobile security solutions," researchers said in a blog post.
With extensive methods of surveillance and device control functions, Rokarolla effectively uses compromised devices to remotely manage surveillance, credential theft and fraud.
Zimperium's report reflects a broader trend in Android-based malware models, with threat actors trading up pure credential theft for full-device compromise and control.
The malware's focus on mobile devices highlights how frequently unassuming, everyday tech such as smartphones or routers are utilized as the primary gateway to access sensitive data points and dispense malware undetected.
Researchers warned that as smartphones become the primary access point for financial services or apps, devices will continue to face banking malware campaigns, each with its own brand of exploitation and expanded capabilities to enable device takeover.