Rokarolla: the Trojan Threatening 217 Banking Apps on Android

What happened?

Zimperium zLabs team has identified a new Android banking Trojan named Rokarolla, currently attacking 217 banking and cryptocurrency applications. The malware, named after its command-and-control infrastructure, deploys 137 remote commands that allow attackers to take almost full control of the infected device. According to Zimperium's report, Rokarolla is distributed through malicious apps disguised as legitimate tools, such as QR scanners or office utilities, primarily downloaded from third-party app stores or via phishing campaigns. Once installed, it requests accessibility and overlay service permissions, enabling it to intercept passwords, capture screens, and execute actions on behalf of the user without their knowledge.

Why is it important?

Rokarolla is not just another Trojan. Its ability to steal the screen lock PIN, read and send SMS messages, manipulate the clipboard, and access cryptocurrency wallets makes it a particularly dangerous tool. Additionally, it can perform unauthorized transfers and bypass SMS-based two-factor authentication. What sets Rokarolla apart is its arsenal of 137 commands, including functions like remotely unlocking the device, making calls, recording audio, taking photos, and even removing security apps. This level of control is unprecedented in previous Trojans; for example, Cerberus had around 50 commands and Anubis about 70. The inclusion of specific commands for cryptocurrencies, such as monitoring wallet addresses on the clipboard and spoofing transactions, indicates a deliberate focus on this high-value sector.

Consequences for users and businesses

For users, the risk is immediate: loss of banking credentials, account draining, and theft of cryptocurrency funds. Financial institutions face an increase in fraud and claims, as well as the need to strengthen their security measures, such as implementing biometric authentication or push notifications instead of SMS. Additionally, the malware could spread through malicious apps on unofficial stores or phishing campaigns. In the cryptocurrency market, Rokarolla could trigger a wave of mass thefts, similar to what happened with the EventBot Trojan in 2020, which affected over 200 financial apps. However, Rokarolla goes a step further by integrating full remote control capabilities, allowing attackers to make real-time transfers without physical access to the device. Mobile security companies, like Zimperium, are already updating their signature and behavior databases to detect this malware, but Rokarolla's polymorphic nature—which can dynamically modify itself—makes identification difficult.

What should readers know?

• Install apps only from Google Play Store and avoid unverified sources. Google Play Store has Google Play Protect, but it's not infallible; check reviews and permission requests.
• Review app permissions: any request for accessibility or screen overlay should be scrutinized. Legitimate apps rarely need these permissions.
• Use app-based two-factor authentication (like Google Authenticator or Authy) instead of SMS, as Rokarolla can intercept SMS messages.
• Keep the system and apps updated to fix vulnerabilities. Android's monthly security updates are critical.
• Install a trusted antivirus that detects banking Trojans. Solutions like Malwarebytes, Bitdefender, or Kaspersky offer real-time protection.
• Be wary of links in emails or messages asking to install apps; always verify the source.

“Rokarolla represents a leap in the capability of Android banking Trojans, combining credential theft, remote control, and cryptocurrency manipulation in a single package.” — TheVortiq Analyst

Historical context and comparison

Rokarolla joins a long list of banking Trojans like Cerberus, Anubis, or TeaBot, but stands out for its extensive command set (137) and focus on cryptocurrencies. The evolution of these malware shows a trend toward modularity and evasion capability, demanding a coordinated response from the security industry. Compared to Gustuff, which in 2019 attacked 127 banking apps, Rokarolla nearly doubles that number and also includes cryptocurrencies. It also surpasses BlackRock, which in 2020 had 50 commands and focused on credential theft. The emergence of Rokarolla coincides with the global rise in mobile financial fraud: according to an RSA Security report, attacks on banking apps grew by 38% in 2025. This suggests cybercriminals are investing more resources in Android, the most used mobile operating system with over 3 billion active devices. Additionally, Rokarolla uses advanced evasion techniques, such as code obfuscation and sandbox environment checks, making analysis difficult in security labs. The industry's response has been the creation of coalitions like the App Defense Alliance, aiming to share threat intelligence, but a global solution is still lacking. Meanwhile, users must adopt a proactive security posture, as early detection is the best defense against this type of Trojan.