Rokarolla: New Android Banking Trojan Disguises as TikTok and Chrome

Zimperium’s zLabs identified Rokarolla, an Android banking trojan targeting 217 financial and cryptocurrency apps. The malware uses Android Accessibility Services to monitor screens, steal WhatsApp contacts, and deploy phishing overlays, while blocking bank fraud alerts by silencing incoming calls, according to Zimperium researchers.

How does the Rokarolla malware infect Android devices?

Rokarolla enters a device through malicious websites, such as infocontablidades[.]it[.]com, which trick users into downloading files disguised as popular apps like TikTok or Google Chrome. Once a user downloads the file, a “dropper” malware installs first. This initial stage disguises itself as a Google Play Protect security tool to convince the victim to install the primary Rokarolla virus.

What happens once Rokarolla gains Accessibility permissions?

The malware exploits Android Accessibility Services—originally designed for users with disabilities—to monitor the screen and capture touch coordinates in real-time. According to Zimperium, Rokarolla then sets itself as the default application for SMS and phone calls, allowing it to intercept messages and calls without the user’s knowledge.

When a victim opens a legitimate banking app, the trojan queries its command-and-control (C&C) server for an HTML phishing page. It then overlays this fake screen on top of the real app to steal login credentials. The malware uses the same technique on the device lock screen, displaying a fake PIN request to capture the phone’s unlock password.

Why is this trojan more dangerous than standard banking malware?

Rokarolla differs from typical trojans by combining financial theft with total device surveillance. Zimperium researchers identified 137 different commands the malware can execute. These include a keylogger to record every keystroke and an automated interface reader that copies WhatsApp contact lists.

The malware also employs a technique called “Pseudo-VNC,” which takes frequent, small snapshots of the screen to monitor the victim discreetly. For cryptocurrency users, Rokarolla uses clipboard hijacking to replace a copied wallet address with one belonging to the criminals during a transfer.

What are the broader trends in mobile security for 2024?

The rise of Rokarolla reflects a growing trend in mobile-targeted social engineering. Randolph Barr, Chief Information Security Officer at Cequence Security, stated that over 4 million social engineering attacks targeted mobile devices in 2024. During the same period, approximately 33 million malware or adware incidents were blocked on mobile devices.

Barr notes that the risk increases as companies create more data validation points. Each integration is a potential vulnerability. He points out that many private companies lack the security maturity found in government systems, making them easier targets for API-based exploits and mobile trojans.

Comparing Mobile Threat Data (2024)

How can users protect themselves from banking trojans?

Zimperium researchers advise users to avoid downloading files from third-party links or pop-up advertisements. Stick to official stores like the Google Play Store, though users should still verify app permissions before granting them.

Certain behavioral red flags can indicate an infection. If a phone refuses to turn off the screen or behaves erratically during input, it may be a sign that a trojan is forcing the screen to stay active to maintain background operations. Users should also be wary of any app asking for Accessibility Services that doesn’t have a clear, legitimate need for those features.

Frequently Asked Questions

Are you seeing strange behavior on your Android device? Share your experience in the comments or subscribe to our newsletter for the latest mobile security alerts.