Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: banking-trojan (2 articles)Clear

Rokarolla Android trojan hits 217 banking and crypto apps with full device control

Zimperium's zLabs has documented Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency apps and accepts 137 remote commands, giving an operator near-total control of an infected phone. It lifts lock-screen PINs, reads and sends text messages to grab one-time codes, rewrites the clipboard to redirect cryptocurrency payments, and disables Google Play Protect. It spreads through malicious websites posing as popular apps like TikTok and Chrome, starting with a dropper disguised as Google Play Protect that abuses Accessibility permissions. The actual theft uses fake login overlays placed on top of real banking apps, and surveillance relies on quiet Accessibility screenshots.

Check
Ensure mobile users install apps only from official stores, keep Google Play Protect on, and treat any app requesting Accessibility access, especially a fake Play Protect prompt, as suspicious.
Affected
Android users who side-load apps from links or sites impersonating TikTok, Chrome, or other popular apps; customers of the 217 targeted banking and cryptocurrency apps are the financial target.
Fix
There is no patch since this is malware. Install only from official app stores, keep Play Protect enabled, deny Accessibility access to untrusted apps, and use mobile threat defense on managed devices.

Grandoreiro banking trojan and BTMOB Android RAT hit Iberia and Latin America - DLL side-loading, WebRTC P2P, targets Wise and Revolut

WatchGuard and ESET have documented two parallel banking-malware campaigns hitting Windows and Android users across Iberia and Latin America. The Windows campaign delivers Grandoreiro - an actively evolving banking trojan operating since 2016 that targets thousands of institutions across 45 countries - via DLL side-loading of four legitimate applications, using Delphi 11-built DLLs that abuse the sgcWebSockets library for WebRTC peer-to-peer C2 over STUN and ICE protocols to blend with web-conferencing traffic. Named targets include Abanca, Banco de Portugal, BBVA PT, Caixa Geral, Santander, plus Revolut and Wise. A companion campaign delivers the BTMOB RAT to Android users in Brazil.

Check
Hunt Windows endpoints for DLL side-loading of mingwm10.dll, libwebp.dll, libffi-6.dll, or libpng15.dll. Inspect outbound WebRTC/STUN/ICE traffic to unexpected peers. Check for Delphi-built DLLs.
Affected
Banking customers and finance staff in Spain, Portugal, Mexico (Windows/Grandoreiro) and Brazil (Android/BTMOB). Named targets include Abanca, Santander, Banco de Portugal, Revolut, and Wise.
Fix
Apply WatchGuard and ESET IoCs. Block known C2 peers. Train finance staff against phishing links delivering ZIP archives. Deploy mobile threat defense on Android devices accessing banking apps.