Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: accessibility (1 article)Clear

Rokarolla Android trojan hits 217 banking and crypto apps with full device control

Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.

Check
Ensure mobile users install apps only from official stores, keep Google Play Protect on, and treat any app requesting Accessibility access, especially a fake Play Protect prompt, as suspicious.
Affected
Android users who side-load apps from links or sites impersonating TikTok, Chrome, or other popular apps; customers of the 217 targeted banking and cryptocurrency apps are the financial target.
Fix
There is no patch since this is malware. Install only from official app stores, keep Play Protect enabled, deny Accessibility access to untrusted apps, and use mobile threat defense on managed devices.