Rokarolla is a newer malware that focuses on Android devices. Unlike some malware, Rokaarolla narrows down the attacks to banking and social media apps. It’s a Trojan that has already hit around 200 crypto and banking apps on Androis and the sole goal is to steal all of the user sensitive information.
Rokarolla was discovered by Zimperium, researchers in the security field, who indicated that the malware may have started to spread to devices through apps such as Tik Tok, Google, and Chrome. However, they weren’t the “real” apps, just apps designed to look like the originals. Fake apps were cleverly crafted so that users would fall for the trap. The malware wasn’t found in Google Play and was only in sources outside of legitimate Android apps.
Rokarolla accesses a target list that it pulls from its server. For every flagged app that’s active it will download a false HTML login page. These are stored in a local database so that when a user opens a legitimate wallet or banking app, the malware exhibits the fake page and entraps all info that’s typed, including details for cards and banking. Since it reads SMS, that includes any failsafe codes a bank will send for identity verification and then sends validation to access an account. Another devious action that it can take is to block all incoming calls, so a confirmation bank call will never be allowed to get through.
For Android users, the sensitive information that is stolen includes credentials for logins. Once they get the data they sell it to data brokers and Android users can see major financial losses. In addition to logins, the malware steals PINS and sends and reads SMS. Rokarolla smartly turns off the Google Play Protect, allowing the malware complete control over a device. Rokarolla also accesses contacts, reads notifications, and rewrites wallet addresses so funds are transferred to a bogus account not belonging to the user.
Rokarolla has a huge number of default C2 domains giving it the ability to transition to a new one on the fly. This destroys any action that might be taken to remove one server as it will just switch to a new one.
What can you do?
The first thing Android users can take action on is to install Android 17, if your device is compatible. Android users can also avoid installation of apps that don’t come directly from Google Play. You can also ensure that the source you are accessing APK files is a trusted one that doesn’t spread these kinds of files. Another action that users can take is to be aware of any of the potential “signs.” Rokarolla asks for Accessibility Services permission as well as other permissions that typically aren’t a requirement. Any time you see any unusual requests or differences, this should be a red flag that something isn’t quite right. Being proactive to protect your financial and personal data is a priority.
“DaVinci Cybersecurity is on a continual watch to inform our communities of any and all new cyber dangers that can be of harm. Malware designers are becoming more and more sophisticated and everyone needs to be on the alert.”
– Sharon Knowles, CEO DaVinci Cybersecurity
Source:
https://share.newsbreak.com/irtvhh16
https://thehackernews.com/2026/06/new-rokarolla-android-malware-steals.html


