Android Banker with Complete Device Takeover Capabilities

June 16, 2026, 5:19 p.m.

Description

A newly identified Android banking trojan named Rokarolla has been discovered, distributed through malicious websites masquerading as popular applications like TikTok or Google Chrome. The malware targets 217 distinct cryptocurrency and banking applications using 137 sophisticated commands for device control. Capabilities include harvesting lock screen credentials, exfiltrating contact lists and SMS data, deploying keyloggers, blocking calls, creating fraudulent screen overlays, and disabling Google Play Protect. The infection begins with a dropper impersonating Google Play Protect that installs a secondary payload. Rokarolla communicates with C2 infrastructure via HTTPS, uses overlays to steal banking credentials and device unlock patterns, silently monitors WhatsApp contacts, hijacks SMS and calls, manipulates clipboard content for cryptocurrency theft, and employs snapshot-based screen surveillance. It maintains persistence by hiding its icon, muting device audio, and keeping screens active indefinitely.

External References

https://zimperium.com/blog/rokarolla-android-banker-with-complete-device-takeover-capabilities
https://otx.alienvault.com/pulse/6a315d684f0c09972ddea652
Tags
keylogger
cryptocurrency theft
overlay attacks
accessibility abuse
sms hijacking
android trojan
2026-06-16
banking credentials
rokarolla

Date

  • Created: June 16, 2026, 2:27 p.m.
  • Published: June 16, 2026, 2:27 p.m.
  • Modified: June 16, 2026, 5:19 p.m.

Indicators

  • e76cbdf420540a18e2ddea02938acf3c4b4139f3511d314dca9781afe1e439bb
  • 3e25c28c5e93376683e841b7ad60f9383bb3bf831284a93a4aae798fc769d767
  • f49be77b95cabd28d2dfe91786863576f6bd3f43a9d6de67a5b5851afe3aff9a
  • 4e2cbefc6bdbfdb6e885057ce47d460e3d3355a5e97db51b22e9c5a14e14302b
  • d6403ec82659eb62424bb1033615a8df27635080d02e438a4ee7e2334b1155f7
  • c3e324106803df27f5b6e0d49d2daf02d4cde396af4401f1ad29d78198e370b6
  • 7aa389f25997610a96f014977eecd6d69142bdc63841e0d84976e3e621831303
  • 1ba364113c4cec5542d1b2c76d7c163a66bdf90bc373256d5178f880f9742960
  • 8ddbcebe1014a645855986e85b2c54ee167baf1e9a0d74179faf81a5ee6878f4
  • 57307ee8a3cda10730eacecaf789fab6f8771f9d29397e07c31a6bd4551bba10
  • ed036356fa2d3490d3ddb5ee7ae98bab80b505938f0199d9b10f12266f345896
  • 890ecea4ebe4fea692ad36adf02abeb37c181cb7bdb6122cd52d9aaafe7d6cf3
  • a5e6763b09553691c8b42deefb725fa3b8c133a03a34cea87740b1f13d08bac3
  • 2eb80e5519fc6defcec8cc30a5cf4f75ee5ec8d2435759bb77c19826f1e20efb
  • 1d3270a9141f8f16047799f1132633d72fd421b6c8f1878b5ef04ced6add4db8
  • 8d65e4df0ad369f491698437413afd1bd55fff309860f9cdecc778c9ac062282
  • 62aef76c2d1897203649844b45317d9e1723819479a2b88ca4b3290ca9f4c9f0
  • c3cfe522d2da15b033f65eb5377bf9e99be598dc4c21729e6f168dbc8f19540b
  • e134cffcbe1fa8a861fd1f9a506f10ca5ff56cd5082360ef13d204676792e8bc
  • fe41e6c1725f63582f022a17abe098e49338a78118a00ca87785b2fa0cf3dadf
  • 5139253b1f30b34ab3aa888aba175866fa1f82728ab07b999c24b49b191c3f68
  • aec2a36e8d68b23444348a7cec2d6ec287cb8810d1e190e04743645426ababb1
  • f8cb375a4129358ad5881c29a6921fc1e5773028c0b31da83298f606118b185a
  • 726095e56c693977b7796dc7cead2e2a49551d77d3f442aaa28997615ba07e99
  • 48a3db92fac1ba9c218253576e09f42faabeaf48cf80663cf32e06b0a66e983d
  • 5d0c5d8da8202f512339457ae00ed2d9b9c930cefc63fa5a28a049aba4127ab7
  • 3fae7ede2ef9c809b54504c3d78e5111d7fad0b522c707b8f6ff21015af79251
  • 1e4ed7e40608750cd0bfe96f5ed493a022b58ec54da2345336c522f7c78197af
  • c734a665f04eb9ab17047e65940fc35bad0221d59c2fc4fd0d170f2181514034
  • 1f4c70cb317ffd25adc828fbac3bb8f07739e23111f7b7905926489fe35f8973
  • 97e76acebea510c8641183866be4392601314b20e73c7ba8cf1f3ee2de6080fd
  • 696ef29f77a91aa91279c83088a07ab137d5049dc096ef862a35f9d890a552b3
  • f0c18f045e3bb0193ef1169f5fa1abff7aa47e9a23da35cf67bbb9548a5e32c0
  • 9a8ec3b21fdb4167f8fdd46f4d38b9a99ff2d3515ee70215438a1360c1474221
  • be8573971b85fda81a2fac27adb7a3a9b2cf7e1d9bdf713361a725324d378d34
  • c505353a6c58a21cb7b0343202e8629bee2f121f01c21dd8e0b61b7c55b77495
  • d7d960ef10b08c472ad397b6fd9e9481338b2077c7c2f44d3dc2c65b19345ae0
  • c08cd3f78c0edcced6b1a694284b6ed4a9e0422f469e07c702c4a8d1f6c186f4
  • 3c304a1ac73590aaf94b62711a5f2fd0cbb863dab13aef6ec1eb156f4a7bd5b9
  • 43888be8debbbd74012484d4e4f9a1c70c2ff3970e0bf499c9aebba9776930a1
  • https://morevoms.cfd
  • https://beralisvc.info
  • https://abiorime.cfd
  • https://blestorians.cfd
Download all indicators here!

Attack Patterns

  • Rokarolla

Additional Informations

  • Finance
  • abiorime.cfd
  • beralisvc.info
  • morevoms.cfd
  • blestorians.cfd