Rokarolla: zLabs Uncovers Sophisticated Android Banking Trojan

June 17, 2026

Cybersecurity researchers have uncovered a highly capable Android banking trojan dubbed Rokarolla—a name derived directly from its Command-and-Control (C2) infrastructure. According to recent analysis from the zLabs research team, this malware is engineered for precision, targeting 217 specific banking and cryptocurrency applications through a combination of advanced social engineering and deep system exploitation.

The infection vector typically begins on malicious websites that masquerade as legitimate software repositories. For instance, researchers identified deceptive landing pages, such as hxxps://infocontablidades[.]it[.]com/, designed to trick users into downloading malicious APKs.

The Two-Stage Infection Architecture

Rokarolla utilizes a modular, two-stage dropper model designed specifically to circumvent standard Android security protocols. The initial stage acts as a lightweight dropper that employs deceptive tactics—often impersonating legitimate system components like Google Play Protect—to coerce users into granting high-level permissions.

Once the initial footprint is established, the dropper installs a much more robust second-stage payload. Upon execution, the malware performs a comprehensive enumeration of the device’s hardware and software telemetry. This includes the device model, Android version, locale, and even real-time battery and memory statistics. This data is transmitted via HTTPS to the C2 server, which uses these parameters to generate a unique botID, effectively fingerprinting the victim for customized exploitation.

Dropper installs the second stage while impersonating a legitimate app
The dropper stage facilitates the installation of the primary payload by mimicking legitimate application behavior (Source: zLabs).

To ensure operational resilience, the implant supports dynamic remote configuration and utilizes multiple fallback domains, allowing the threat actors to maintain persistent control even if primary C2 nodes are neutralized.

Extensive Command Set and System Manipulation

What distinguishes Rokarolla from simpler trojans is its massive operational breadth. The malware boasts an extensive command set consisting of 137 distinct commands, granting the attacker granular, almost administrative control over the mobile device.

Malware requesting additional permissions
The malware leverages permission escalation to gain deeper access to the Android OS (Source: zLabs).

Key technical capabilities include:

  • Credential Harvesting: Using deceptive overlays that perfectly replicate the Android lock screen to capture PINs, patterns, and passwords.
  • Accessibility Service Abuse: By hijacking Accessibility Services, the trojan can perform keylogging and parse UI nodes to read sensitive data from other apps.
  • Data Exfiltration: Systematic theft of SMS messages, contact lists, and real-time notifications.
  • Clipboard Hijacking: Monitoring the clipboard to intercept and replace cryptocurrency wallet addresses during transactions.
  • Pseudo-VNC Visual Reconnaissance: Rather than using resource-heavy continuous screen capture, Rokarolla takes periodic, compressed PNG screenshots. This provides attackers with visual context while minimizing the impact on battery life and CPU usage, making the infection harder to detect.

Advanced Evasion and Overlay Injection

Rokarolla is designed to be “invisible” to the user. Once the infection is successful, it actively suppresses device interactions to prevent detection. It can block incoming calls, hijack SMS/call handlers, mute all audio and haptic feedback, and prevent the screen from timing out. Furthermore, it hides its own icon from the application launcher and attempts to disable Google Play Protect.

The most critical component of its theft mechanism is the Overlay Injection. The C2 server sends a monitored_app_full list containing package names and associated URLs for phishing templates. When a user launches a targeted banking app, Rokarolla injects a locally stored, HTML-based fake login page directly over the legitimate interface.

Fake Overlay process of Imagin bank
The injection of a fake overlay during the use of a legitimate banking application (Source: zLabs).

Researchers have identified specific command strings such as liveoverlay16, sms_overlay_16, and call_overlay_16, which are used to trigger these highly targeted deceptive interfaces.

Mitigation and Defense Strategies

Defending against Rokarolla requires a multi-layered approach focused on reducing the attack surface and monitoring for privilege escalation:

  • User Awareness: Avoid sideloading applications from untrusted third-party websites. Always verify the legitimacy of app requests.
  • Permission Hygiene: Be extremely cautious when granting Accessibility Services or Device Administrator privileges. These are high-value targets for malware.
  • System Integrity: Never disable Google Play Protect or ignore security warnings regarding “Unknown Sources.”
  • Enterprise Defense: Organizations should deploy Mobile Device Management (MDM) solutions to enforce strict app installation policies and monitor for anomalous permission grants or changes to default SMS and call handlers.
Tags
June 17, 2026

Related Articles

Claude AI Uncovers Zero-Day RCE Vulnerabilities in Vim and Emacs

March 31, 2026

Automating Discovery: How AI-Driven Fuzzing Unlocked $500,000 in Google Bug Bounties

June 12, 2026

How Spam Filters Can Steal Your Email Logins in an Instant

November 13, 2025

Hackers Exploit NFC Technology to Steal Money from ATMs and POS Terminals

April 23, 2025
© Copyright 2026, All Rights Reserved  |  PlanetJon
Back to top button