Rokarolla Hijacks Your Phone and Blocks the Calls That Could Save You

A new Android banking trojan called Rokarolla is targeting 217 banking and crypto apps with 137 commands that hand attackers near-total control of an infected phone, including the ability to block the phone calls a bank would use to warn its customer of fraud. Researchers at Zimperium’s zLabs published the technical breakdown this week, the same day Help Net Security and other outlets began carrying the warning. Security vendors have since added the trojan to mobile threat detections. Google confirmed that no apps containing Rokarolla are currently on the Play Store.

Rokarolla arrives on rogue websites that offer fake versions of TikTok or Google Chrome, then poses as Google Play Protect to ask for the kind of Android permissions most users would refuse on a calculator app. Once those grants are in place, it overlays fake login pages on real banking apps, harvests every SMS, blocks incoming calls, and hides its own icon. Zimperium’s researchers describe the approach as a shift from credential theft to “victim isolation.” The team also said no previous Android banking trojan has bundled the full kit so tightly.

The Trojan That Cut Its Users Off from Their Banks

Most Android banking trojans that make headlines every quarter are essentially keyloggers with a money angle. They hook accessibility services, look for a banking app to launch, and drop a fake login form on top of it. Rokarolla starts there, but it does not stop at credential theft.

The 137 commands documented by Zimperium include everything needed to lock a user out of their own device’s defenses while the attacker drains it. The list covers lock-screen credential theft, SMS and call interception, clipboard rewriting, keylogging, screen capture, audio suppression, icon hiding, and Google Play Protect disabling. The breadth is what makes the new sample stand out. The trojan also removes the victim’s ability to hear from the very banks it is draining.

The Rokarolla Trojan shifts focus from credential theft to victim isolation. Developers have combined screen overlays and access tools before, but this software surprises analysts by creating an information vacuum. The application blocks calls and intercepts texts to prevent banks from alerting users about fraud.

That framing came from Jason Soroko, senior fellow at certificate lifecycle management firm Sectigo, in comments to Dark Reading. Soroko’s point is the one Zimperium’s own researchers Vishnu Pratapagiri and Fernando Ortega document in the longest section of their report. A phone in this state still rings, still receives messages, still shows the home screen, but the warning channel a bank would normally use has been muted on purpose. The mute is not incidental. It is one of 137 dedicated commands, sitting next to the lock-screen stealer and the clipboard rewriter in the same toolkit. Zimperium’s researchers called the combination an evolution of the category, and Sectigo’s Soroko called it an information vacuum.

A Dropper Wearing a Google Play Protect Mask

Distribution is the part Rokarolla has in common with most of its predecessors. Zimperium identified a malicious website at hxxps://infocontablidades[.]it[.]com/ that pushes fake downloads of TikTok and Google Chrome. The same dropper pattern appears on other rogue sites, and the researchers said the payload is updated frequently. A user who searches for a popular app, follows a link from a phishing text, or taps a social media advertisement can land on one of these pages within a few clicks.

Once the fake app is sideloaded, it does something most droppers do not. It asks the user to install a second payload while impersonating Google Play Protect, the legitimate Android security service Google ships on every Play-certified device. That second stage is the actual Rokarolla trojan, and it is the one that walks the user through the dangerous permission grants. To an untrained eye, the prompt looks identical to a real Google security update. None of the four steps in the chain requires a rooted device, a zero-day, or a compromised Google account, and each step is a separate user choice.

1. User visits a rogue site advertising a popular app like TikTok or Chrome.
2. The site pushes a sideload APK rather than the official Google Play Store version.
3. After install, the dropper asks the user to “install an update” while posing as Google Play Protect.
4. The actual Rokarolla trojan installs and requests Accessibility Service, SMS, and notification access.

The 137 Commands Behind the Takeover

Zimperium’s report groups the commands into functional clusters, and the cluster list reads like a checklist of the worst things an Android banking trojan can do. The first cluster harvests lock-screen PINs, patterns, and passwords by laying a fake lock screen over the real one. A second cluster handles SMS theft and SMS sending, the latter used to interact with banks that still rely on one-time passwords sent by text.

Accessibility Services do the heavy lifting. With that single grant, the malware can read the labels and coordinates of every visible UI element, identify which app is in the foreground, decide whether that app is on its 217-app target list, and if so, lay a fake login HTML page on top of the real one. The fake pages are pulled from the command-and-control server on demand and stored in a local SQLite database, so the trojan does not have to fetch them again for repeat victims. Researchers have documented this accessibility-services pattern across other Android malware samples in the past.

Screen capture uses a snapshot approach rather than the continuous MediaProjection streaming that most modern Android malware uses. Rokarolla takes a screenshot, compresses it to PNG, sends it to the operator with a timestamp, then resets and waits for the next cycle. The trade-off is less real-time visibility for the attacker and a much quieter network profile, which makes the activity harder for security tools to spot.

Defensive measures on the device itself are not spared. Separate commands target Google Play Protect, including disable, force-open, and status-check options, while the malware hides its launcher icon, silences all device audio and vibration, and forces the screen to stay awake so its overlays cannot be dismissed by a screen timeout.

• 217 banking and crypto apps on the target list
• 137 remote commands on infected devices
• Snapshot-based screen capture, not continuous streaming
• Accessibility Services as the single high-value grant
• Google Play Protect targeted by dedicated disable commands

The Crypto Address You Just Copied Is Not Yours

The clipboard swap is the Rokarolla feature that leaves the smallest visible footprint. The malware reads whatever the user has just copied to the clipboard and rewrites it in place, with no popup, no notification, and no tell-tale preview. A user who copies a Bitcoin or Ethereum receiving address from their own wallet and pastes it into a transfer screen ends up sending the funds to the attacker’s address instead. The paste looks normal, the address usually starts with the right characters, and the transaction confirms on-chain before the victim realises what happened.

Keylogging and on-screen text capture ride on the same accessibility grant. Commands named start_keylogger, startuilogger, and textextract collect everything the victim types, alongside the labels of every UI element on screen. The data is streamed to the operator along with WhatsApp contact extraction, which recognises screen labels such as “Chats” and “Calls” to harvest the contact list from the messaging app the user trusts most.

Crypto theft gets a further boost from SMS interception. Most exchanges and self-custody wallets still rely on a one-time password sent by SMS as a second factor on withdrawals, and Rokarolla reads those messages the instant they arrive. By the time the legitimate user looks at their SMS app, the code has already been used, and the same channel lets the malware send messages on the victim’s behalf to confirm fraudulent transactions at banks that require an outbound SMS confirmation step.

Why “Don’t Sideload” Is Only Half the Advice

The standard mobile security line has been the same for a decade. Install only from Google Play. Do not sideload. Do not trust apps that ask for Accessibility access. Each rule still applies to Rokarolla, but the trojan was built to make the advice harder to follow. The dropper does not ask for Accessibility on the first screen. It stages the request behind a fake Google Play Protect update prompt that looks identical to a legitimate one, as Malwarebytes describes in its Rokarolla infection chain write-up.

That gap is why researchers are pushing a wider list of checks. The table below pairs the standard guidance with what Rokarolla actually exploits, drawn directly from Zimperium’s command list. The trojan covers a wider attack surface than the standard rules were built to handle. Closing the rest of the surface has to happen at the authentication layer and the device-management layer, not in user prompts alone.

The Industry Reacts to the New Trojan

Google, which controls the Android platform and the Play Protect service, drew a firm line in its statement to Dark Reading. A spokesperson said no apps containing the Rokarolla malware had been detected on Google Play, and that Android users with Google Play Services are protected against known versions of the trojan by Play Protect, which is on by default. The same statement placed the infection vector outside the official store, on the rogue download sites Zimperium first identified.

Boris Cipot, principal security engineer at application security firm Black Duck, told Dark Reading that organizations should treat Android phones as full-fledged high-risk endpoints rather than secondary access devices. His practical recommendations included mobile threat defense tools that watch for accessibility abuse and overlay injection, strict policies against sideloading, and a move away from SMS-based second factors toward phishing-resistant multi-factor methods. The latter point lands hardest against the Rokarolla command set, which already intercepts every incoming SMS. Banking-fraud malware in the same category, including the DevilNFC relay operation covered in the DevilNFC banking-fraud playbook, has tracked a similar pattern of social engineering paired with device control.

Based on our current detection, no apps containing this malware are on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect, which is on by default on Android devices with Google Play Services.

For banks, the takeaway is that the trojan’s call-blocking and SMS-interception stack is built specifically to defeat the standard fraud-alert pipeline. A bank that warns customers of suspicious transfers by SMS, by voice call, or by a push notification inside its own app now has to assume all three of those channels can be muted on an infected handset.

That is the same conclusion Zimperium’s researchers reached when they called the malware an evolution of the category, and the same pressure the broader Android security push is designed to absorb. Google’s Android Binary Transparency ledger records every production Android app the company signs, with anything missing from the ledger treated as unauthorised. The user’s own checklist has to start there, with a refusal to trust any app update prompt that arrives as a separate install step. Anything else is the trojan’s comfort zone.

Signs Your Phone May Be Infected

Rokarolla is built to avoid leaving obvious traces, but a few user-visible tells are consistent with the Zimperium analysis. A phone that asks the user to install a “Google Play Protect update” as a separate step after the first install is the most reliable single signal, because legitimate Google security components ship inside the system, never as a sideloaded APK. A second signal is a banking app that asks for login details a second time inside the same session, or that renders with the wrong fonts, missing images, or a URL bar that does not match the bank’s real domain.

On the device side, an unusually quiet phone is a soft signal. The malware suppresses all device audio and vibration to mask bank fraud alerts, so a handset that suddenly stops ringing for known contacts is worth investigating. The same is true of a screen that refuses to time out, a battery that drains faster than usual, and a settings page that shows a previously installed app with no launcher icon and a generic Android system name. These tells can have innocent causes, so a single one is not proof, but two or three at once is enough to start treating the phone as compromised.

What to do when those signs appear: switch the phone to airplane mode to cut off the command-and-control channel, run a scan with a reputable mobile security app, and call the bank from a separate device. From there, treat every SMS-based one-time password received in the previous 24 hours as compromised, and change passwords for any banking or crypto account touched on the phone during that window, starting from a clean machine.

Frequently Asked Questions

What is Rokarolla?

Rokarolla is an Android banking trojan with 137 commands for full device control, named after its command-and-control infrastructure. It combines credential theft from 217 financial apps with broad device takeover.

How does Rokarolla infect Android phones?

Distribution happens through rogue sites that impersonate TikTok and Google Chrome download pages, then drop a Google Play Protect impersonator to install the actual malware and request Accessibility, SMS, and notification access.

Can Google Play Protect block Rokarolla?

Google told Dark Reading that no apps containing Rokarolla are on Google Play and that Play Protect, which is on by default on devices with Google Play Services, protects against known versions. The infection path Zimperium documented stays outside the official store.

What apps does Rokarolla target?

The 217-app list is stored on the operator’s server, not in the malware itself, and the trojan pulls a fresh HTML phishing page for each target app on demand when the victim opens the legitimate version.

How do I remove Rokarolla from my phone?

Put the phone in airplane mode to cut off the command-and-control channel, run a scan with an up-to-date mobile security app, and uninstall any app that does not appear in the launcher or that requested Accessibility access without a clear reason. For confirmed infections, a factory reset is the cleanest recovery path, and any banking or crypto account touched on the device should have its password changed from a different machine.