Rokarolla Android malware targets 217 banking and crypto apps, steals credentials, blocks bank calls, intercepts SMS, and disables Play Protect.Zimperium’s zLabs researchers have published a detailed analysis of Rokarolla, a new Android banking trojan named after its command-and-control infrastructure. It spreads through malicious websites masquerading as TikTok and Chrome, one confirmed distribution point being hxxps://infocontablidades[.]it[.]com/. The first thing a victim installs is a dropper that masquerades as Google Play Protect, a choice intended to avoid raising suspicion.“Primarily distributed through malicious websites such as hxxps[://]infocontablidades[.]it[.]com/, where it masquerades as popular applications like TikTok or Google Chrome, this highly invasive malware is specifically designed to target and compromise 217 distinct cryptocurrency and banking applications.” reads the report published by Zimperium. “Furthermore, the trojan actively conceals its operations and disrupts user intervention by blocking incoming calls, deploying fraudulent screen overlays, suppressing device audio, and deactivating Google Play Protect.”The dropper’s job is simple: get the second-stage payload installed and grab Accessibility Services access. Once Accessibility is granted, everything else follows. The malware can simulate user taps, parse on-screen UI elements, inject overlays on top of legitimate apps, and execute automated actions without touching the screen. One of its 137 commands then disables Google Play Protect, removing the protection the dropper impersonated to get installed in the first place.The target list is pulled dynamically from the C2 server. For each flagged app, the malware downloads a fake HTML login page and stores it in a local SQLite database. When the victim opens the real app, Rokarolla drops the fake page on top and captures every credential entered, card numbers included.The lock screen gets the same treatment. The malware deploys a fake PIN entry screen that mimics Android’s legitimate lock screen interface. Whatever the victim types gets sent to attacker infrastructure. “Any credentials entered by the user are captured by this deceptive UI (Figure 6) and subsequently exfiltrated to attacker-controlled infrastructure for further exploitation.” continues the report. “This information allows the malicious actor to execute commands even if the device is locked.”That’s the detail that makes this more than a credential stealer: the operator can interact with the phone whether the owner is actively using it or not.SMS handling is another pillar of the attack. Rokarolla reads every message on the device and can send messages on the victim’s behalf, which is enough to intercept the one-time codes banks send to approve logins and transactions. It also requests default call handler status, which lets it block incoming calls silently. A warning call from a fraud detection team never rings. The malware also mutes all device audio and vibrations during active operations, so notification sounds that might alert the user don’t fire either.“Complementing this visual evasion, the malware is capable of muting all device audio and vibrations, ensuring it operates in complete silence during fraudulent activities. This audio suppression effectively masks critical cues, such as security alert notifications or incoming verification calls from banking institutions, significantly reducing the likelihood of the user noticing or interrupting the transaction process.” continues the analysis. “To maintain operational persistence, the malware also forces the device screen to remain on indefinitely. This mechanism ensures that its fraudulent UI overlays, automated actions, and background processes are not disrupted by screen timeouts or the device locking.”The clipboard gets rewritten silently. When a user copies a cryptocurrency wallet address to paste into a transaction, Rokarolla swaps it for an attacker-controlled address with no visible indication anything changed. The keylogger and screen content logger run in parallel, capturing everything typed and everything displayed. WhatsApp contact data gets scraped by parsing on-screen UI nodes and comparing them against known WhatsApp interface terms like “Chats” and “Calls.”For screen surveillance, Rokarolla avoids the MediaProjection API, which throws a visible recording notification that would tip off the user. “Unlike conventional Android malware that relies on the MediaProjection API for continuous screen casting (VNC), this variant employs an alternative snapshot-based surveillance mechanism.” states the report. “The malware systematically captures screenshots of the victim’s device, compresses them into PNG format, and exfiltrates the image data alongside a precise timestamp. Following each transmission, the execution state is reset and a cleanup routine is invoked, ensuring the system maintains operational stability and is ready for the subsequent capture cycle.”Frame by frame, quietly, with no visible indicator.The C2 infrastructure is built with resilience in mind. The malware ships with multiple fallback domains hardcoded and can receive a fresh list of active C2 addresses at any time via the server’s configuration response. Taking one server down doesn’t interrupt operations. The four domains observed in traffic analysis are beralisvc.info, blestorians.cfd, abiorime.cfd, and morevoms.cfd, with the C2 domain registered at hxxps://beralisvc[.]info confirmed as active during analysis.The experts noted that no product flaw is involved here, so there’s no patch to apply. The defenses are the standard ones: install apps only from Google Play, never grant Accessibility Services to anything that isn’t a known assistive tool, and treat any app that asks to become your default SMS or call handler as an immediate red flag. Zimperium says its Mobile Threat Defense and zDefend products detect Rokarolla, and the full IOC list including APK hashes is published on the company’s GitHub repository. No attribution to a named group has been made.“The malware demonstrates strong stealth, evasion, and persistence techniques designed to avoid detection and prevent user-initiated removal.” concludes the report. “Furthermore, the malware employs multiple techniques to operate completely under the radar”Follow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, FishMonger)