New Android Banking Trojan "Rokarolla" Targets 217 Financial Apps in Sophisticated Fraud Campaign
A newly discovered Android banking trojan, Rokarolla, is actively draining victim accounts by targeting 217 banking and cryptocurrency applications through a multi-stage attack chain. Named after its primary Command and Control (C2) infrastructure, the malware spreads via malicious phishing websites impersonating legitimate download portals for apps like TikTok and Google Chrome.
Once installed, Rokarolla deploys a deceptive dropper that tricks users into installing a secondary payload disguised as Google Play Protect to bypass security restrictions. The malware then exploits Android’s Accessibility Services, granting it deep control over the device, including the ability to click through prompts, read on-screen content, and maintain persistence without user interaction.
At the heart of its operation, Rokarolla uses fraudulent screen overlays to intercept credentials. When a victim opens a targeted financial app, the trojan dynamically injects a fake HTML-based phishing page over the legitimate interface, capturing login details, PINs, and credit card information. It even mimics the Android lock screen to steal device PINs and swipe patterns, allowing attackers to bypass security measures.
Beyond credential theft, Rokarolla employs a pseudo-VNC mechanism, silently capturing and exfiltrating screenshots with timestamps while abusing the device clipboard to swap cryptocurrency wallet addresses in real time. This tactic ensures attackers intercept transactions before they’re finalized.
Security researchers have identified malicious distribution URLs (e.g., hxxps[://]infocontablidades[.]it[.]com/) and the active C2 domain (beralisvc.info), with Indicators of Compromise (IOCs) available for further analysis. The trojan’s 137 administrative commands enable undetected financial fraud, making it a severe threat to Android users.
Source: https://cyberpress.org/rokarolla-steals-android-credentials/
TikTok TPRM report: https://www.rankiteo.com/company/tiktok
Google TPRM report: https://www.rankiteo.com/company/google
"id": "gootik1781684782",
"linkid": "google, tiktok",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of 217 targeted banking '
'and cryptocurrency apps',
'industry': 'Banking, Financial Services, '
'Cryptocurrency',
'type': 'Financial institutions, cryptocurrency '
'platforms'}],
'attack_vector': 'Malicious phishing websites, dropper payloads, '
'Accessibility Services exploitation',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Login credentials',
'PINs',
'Credit card information',
'Cryptocurrency wallet addresses',
'Screenshots with timestamps']},
'description': 'A newly discovered Android banking trojan, Rokarolla, is '
'actively draining victim accounts by targeting 217 banking '
'and cryptocurrency applications through a multi-stage attack '
'chain. The malware spreads via malicious phishing websites '
'impersonating legitimate download portals for apps like '
'TikTok and Google Chrome. Once installed, Rokarolla deploys a '
'deceptive dropper that tricks users into installing a '
'secondary payload disguised as Google Play Protect to bypass '
'security restrictions. The malware exploits Android’s '
'Accessibility Services to gain deep control over the device, '
'including clicking through prompts, reading on-screen '
'content, and maintaining persistence. It uses fraudulent '
'screen overlays to intercept credentials, dynamically injects '
'fake HTML-based phishing pages, and mimics the Android lock '
'screen to steal PINs and swipe patterns. Rokarolla also '
'employs a pseudo-VNC mechanism to capture screenshots and '
'abuses the device clipboard to swap cryptocurrency wallet '
'addresses in real time.',
'impact': {'data_compromised': 'Login credentials, PINs, credit card '
'information, cryptocurrency wallet addresses, '
'screenshots with timestamps',
'financial_loss': 'Account draining, fraudulent transactions',
'identity_theft_risk': 'High',
'operational_impact': 'Unauthorized access to financial apps, '
'real-time transaction interception',
'payment_information_risk': 'High',
'systems_affected': 'Android devices'},
'initial_access_broker': {'backdoors_established': 'Secondary payload '
'disguised as Google Play '
'Protect',
'entry_point': 'Malicious phishing websites',
'high_value_targets': 'Banking and cryptocurrency '
'apps'},
'motivation': 'Financial gain',
'post_incident_analysis': {'root_causes': 'Exploitation of Android '
'Accessibility Services, lack of '
'user awareness, malicious phishing '
'websites'},
'references': [{'source': 'Security researchers',
'url': 'hxxps[://]infocontablidades[.]it[.]com/'},
{'source': 'C2 domain', 'url': 'beralisvc.info'}],
'title': "New Android Banking Trojan 'Rokarolla' Targets 217 Financial Apps "
'in Sophisticated Fraud Campaign',
'type': 'Banking Trojan',
'vulnerability_exploited': 'Android Accessibility Services, lack of user '
'awareness'}