THE Rokarolla Android banking Trojan has been spotted targeting 217 banking and cryptocurrency applications by masquerading as legitimate TikTok and Google Chrome downloads, according to research from Zimperium’s zLabs team published on their blog. The malware arrives through deceptive websites that mimic popular app stores, tricking users into installing a dropper that poses as Google Play Protect to gain deep system access.
Once installed, Rokarolla requests accessibility permissions, which it abuses to overlay fraudulent login screens on top of genuine apps, intercept SMS messages and silently rewrite clipboard contents. It can also block incoming calls, mute device sounds and disable notifications, preventing victims from noticing fraudulent activity while the Trojan performs its theft.
The Trojan’s arsenal includes 137 distinct commands that allow it to simulate user taps, capture timestamped screenshots and attempt to disable built‑in protections such as Google Play Protect. These capabilities give attackers near‑complete control of the infected device, enabling them to drain accounts and harvest credentials without the user’s knowledge as highlighted by Dark Reading.
Zimperium’s findings, also reported by Security Affairs and Infosecurity Magazine, show that the campaign relies on fake download pages that closely resemble the official TikTok and Chrome portals according to Security Affairs and as noted by Infosecurity Magazine. No CVEs have been assigned to the underlying vulnerabilities and no specific threat actor has been linked to the distribution so far.
Defenders should treat any request for accessibility services from an unfamiliar app as a red flag and refuse permission unless the source is unequivocally trusted. Installing applications exclusively from the Google Play Store or other vetted marketplaces reduces the risk of encountering the Trojan’s dropper. Employing a mobile threat defence solution that monitors for overlay abuse, anomalous accessibility usage and unauthorized SMS interception can help detect the malware before it completes its payload.
Keeping the operating system and security patches up to date, regularly reviewing app permissions and educating users about the dangers of sideloading apps from unofficial sites are practical steps that limit the exposure to Rokarolla and similar threats. Vigilance remains essential as attackers continue to refine social engineering lures that mimic popular services to compromise mobile devices.