Researchers have detailed a new Android banking trojan, called Rokarolla, that can effectively hijack a phone, steal login details for more than 200 banking and cryptocurrency apps, and quietly watch much of what the owner does. It is a pointed reminder that the most dangerous mobile malware rarely arrives from the official app store.
What it steals and how
When a victim opens one of the apps on Rokarolla's target list, the malware downloads a matching fake login page and draws it on top of the real app. Anything typed into that overlay, usernames, passwords, card numbers, goes straight to the attackers. Fake lock screen overlays also capture the device PIN, pattern or password.
Rokarolla leans heavily on Android's Accessibility features, the powerful tools meant to help people with disabilities, to monitor activity across the whole device. It can read and send SMS messages (useful for intercepting one time passcodes and two factor codes), recognize WhatsApp screens to scrape contacts, take over calls and texts to suppress fraud alerts, and log everything typed or shown on screen. If the victim copies a cryptocurrency wallet address, the malware can silently swap it for the attacker's. It can also hide its own icon, silence the device, and switch off Google Play Protect to stay out of sight.
How it spreads
Rokarolla is distributed through rogue websites that pose as popular apps such as TikTok or Chrome and push victims to sideload the file rather than visit Google Play. Once installed, the fake app masquerades as Google Play Protect and downloads the real payload, then asks for sweeping permissions, Accessibility access, SMS access and notification access, that many users grant without a second thought. Fake apps pushed through search ads and rogue sites remain a recurring lure; criminals recently ran thousands of fake ad campaigns across Asia Pacific.
What you should do
Never install something that claims to be "Google Play Protect" or another system component; you should never need to add those manually. Avoid sideloading apps that are already on Google Play, and be deeply suspicious of any app that requests Accessibility access without a clear reason. If a banking or crypto login screen looks off, or you see multiple prompts, close the app and reopen it from its official icon.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.