Overview
- Zimperium publicly disclosed Rokarolla in mid‑June (June 16–17), saying the trojan targets 217 banking and cryptocurrency apps and exposes infected phones to long‑running financial fraud.
- Operators spread Rokarolla through malicious websites that offer fake TikTok or Chrome APKs and a dropper that impersonates Google Play Protect to install the second‑stage payload via sideloading.
- Once installed the malware requests Accessibility and other privileges, then injects convincing HTML overlays and fake lock‑screen prompts, logs keystrokes, takes timestamped screenshots and rewrites the clipboard to capture credentials and divert crypto payments.
- Rokarolla can make itself the default SMS and call handler, read and send messages, block incoming calls, mute the device and disable Play Protect, and Zimperium mapped 137 remote commands plus resilient C2 domains to keep control and evade removal.
- Zimperium has published technical details and IoCs on GitHub, some vendors report detections, and defenders are urged to avoid sideloading, deny Accessibility and default‑handler requests from untrusted apps, keep Play Protect on, and deploy updated mobile threat‑defense or anti‑malware solutions.