Rokarolla is an Android banking trojan discovered by Zimperium's zLabs research team, with its name derived from its command-and-control server infrastructure. The malware gives operators full device control through 137 distinct remote commands targeting 217 banking and cryptocurrency applications. Zimperium published their full technical breakdown in 2026.

When we reviewed the Zimperium technical report, we found that the scale of Rokarolla's command set is what separates it from most prior Android banking trojans. 137 commands is not incremental. It reflects deliberate engineering toward flexibility and persistence.

Kaspersky's 2026 mobile malware report places this discovery in a deteriorating threat environment: Android Trojan banker attacks on smartphones increased 56% in 2025 compared to 2024, with unique malicious APK packages surging 271% to 255,090. Rokarolla is a product of that acceleration.

How Does Rokarolla Infect Android Devices?

Infection starts on the open web. Victims encounter malicious websites impersonating TikTok or Google Chrome and are prompted to download what appears to be a legitimate app.

A dropper disguised as Google Play Protect then installs the actual payload. It requests Accessibility service permissions, which grant deep, persistent control over the device. A Google internal analysis ranked "observing and interacting with apps using an accessibility service" as the second most impactful malware abuse vector on Android, behind only dynamic code loading. Once granted, Rokarolla operates with minimal further attacker interaction.

• Fake TikTok or Chrome sites serve the initial dropper
• Dropper impersonates Google Play Protect to appear trustworthy
• Accessibility permissions enable deep device control after installation
• No app store distribution has been confirmed

This is the same Accessibility API abuse vector that has powered banking trojans for years. Google is restricting Android accessibility API access in Android 17.2 under Advanced Protection Mode, but that protection only covers devices running that version with the mode enabled.

For related reading on how attackers exploit legitimate infrastructure to hide malicious traffic, see how DragonForce hides C2 traffic inside Microsoft Teams TURN servers.

What Can Rokarolla Actually Do to an Infected Phone?

The answer is: almost everything. According to BleepingComputer's full coverage of Rokarolla, the trojan's 137-command toolkit enables a broad set of malicious actions that go well beyond simple credential harvesting.

Removing Rokarolla without a full factory reset is unreliable, because each permission it gains blocks the next removal step.

• Lock-screen PIN theft allows attackers to physically unlock the device
• SMS interception captures one-time passwords sent by banks
• Clipboard rewriting silently replaces copied crypto wallet addresses with attacker-controlled ones
• Keylogging records every typed character across all applications
• Silent screenshot exfiltration sends screen captures to the C2 server without any visible indicator
• Google Play Protect disabling removes the device's primary on-device defense

This capability profile mirrors the broader trend Zimperium's 2026 Banking Heist Report identified: 34 active Android malware families targeted 1,243 financial institutions across 90 countries in 2025, with Android malware-driven financial transactions increasing 67% year-over-year.

How Does Rokarolla Compare to Previous Android Banking Trojans?

Rokarolla's 137 commands outnumber the 107 Zimperium previously counted in the HOOK trojan, which had itself set a high-water mark for Android banking malware complexity. More commands mean more flexibility. Attackers can adapt their approach per target, per device state, and per bank, rather than running a fixed playbook.

The table below compares Rokarolla against HOOK and SharkBot on key operational dimensions:

The 217-app target list spans both traditional banking institutions and cryptocurrency platforms. This reflects attackers' awareness that significant financial value now lives in crypto wallets alongside conventional bank accounts.

For context on how attackers are similarly targeting enterprise authentication systems, the CVE-2026-50751 Check Point Gaia OS IKEv1 authentication bypass shows credential-theft focus is not limited to mobile.

Is There a Patch or CVE to Track for Rokarolla?

No. Rokarolla is malware, not a vulnerability in a specific software product. No CVE has been assigned and it does not appear on CISA's Known Exploited Vulnerabilities catalog. There is nothing to patch in the traditional sense.

Defense is behavioral and preventive rather than reactive. This contrasts sharply with infrastructure vulnerabilities like the CVE-2026-20262 Cisco SD-WAN root privilege bug, where a vendor patch directly addresses the attack surface. With Rokarolla, the attack surface is user behavior.

Kaspersky's Q1 2026 mobile statistics underscore why that matters: banking trojans accounted for 52.96% of all detected mobile malware applications in Q1 2026, with over 162,275 mobile banking trojan packages discovered in that quarter alone.

How Can You Protect Your Device From Rokarolla?

• Never sideload APKs from websites impersonating Chrome, TikTok, or Google Play services.
• Verify that Google Play Protect is enabled and reporting clean under Settings > Security > Play Protect.
• Revoke Accessibility permissions for any unverified app under Settings > Accessibility > Installed Services.
• Enable two-factor authentication via an authenticator app rather than SMS wherever your bank allows it. SMS OTPs are directly interceptable by this Android banking trojan.
• Audit your clipboard before pasting any cryptocurrency wallet address. Verify the first and last six characters manually against the intended destination.
• If infection is suspected, perform a full factory reset. Partial removal is unreliable at Accessibility permission depth.
• Enterprise mobile device management administrators should block installation sources outside Google Play and enforce Accessibility service whitelisting via policy.

For enterprise hardening beyond mobile, the Entra Password Protection on-premises AD setup guide covers credential protection at the directory layer, which remains relevant if a compromised device exposes corporate credentials.

Also relevant for IT teams managing device fleets: the BitLocker removal guide for Windows 11 is useful context for understanding what full-device remediation steps look like on managed endpoints.

*Last reviewed June 2026. We will update this article as Zimperium or CISA release further indicators of compromise.*

Frequently Asked Questions

Does Rokarolla Affect iPhones?

No. Rokarolla is an Android-specific trojan that relies on the Android Accessibility service architecture and APK sideloading. iOS does not permit the same sideloading mechanism or Accessibility-level third-party control. iPhone users are not affected by this particular threat.

Which Banks and Crypto Apps Are Targeted?

Zimperium identified 217 targeted applications spanning banking institutions and cryptocurrency platforms, but the full list has not been publicly released. If your financial app runs on Android and handles real money, treat it as a potential target and apply the defensive steps above regardless.

Can Antivirus Apps on Android Detect Rokarolla?

Mobile security vendors including Zimperium have added detection signatures following public disclosure. Running an updated mobile security application helps. The dropper's impersonation of Google Play Protect is specifically designed to lower user suspicion before any scan occurs. Prevention before installation is the stronger control.

Will Enabling 2FA Protect My Accounts?

Partially. Rokarolla intercepts SMS-based one-time codes directly, so SMS 2FA alone is not sufficient on a compromised device.

Authenticator-app-based or hardware-key-based 2FA is significantly harder to intercept. Use it for any account linked to banking or cryptocurrency. SMS 2FA is still better than no 2FA, but it is not the ceiling you want to stop at.