Rokarolla: The Android Trojan Targeting 217 Banking Apps
Author
ThreatsEye
✓Author
ThreatsEye
✓Start Now
Get in touch with our team and discover how ThreatsEye can help protect your organization.
Published
June 18, 2026
Reading Time
3 min read
The mobile threat landscape continues to evolve, and a newly identified Android banking trojan known as Rokarolla is a clear example of this shift. This malware is not limited to basic credential theft. It combines phishing overlays, SMS interception, device manipulation, and command-and-control capabilities to target users of banking and cryptocurrency applications.
According to recent research, Rokarolla targets 217 banking and cryptocurrency applications and supports 137 remote commands, giving attackers a wide range of options to control infected Android devices and steal sensitive financial data.
For financial institutions, crypto platforms, SOC teams, and cybersecurity analysts, Rokarolla represents a serious mobile threat that requires continuous monitoring, fast detection, and actionable threat intelligence.
Rokarolla is an Android banking trojan designed to compromise mobile devices and steal sensitive information from users of financial and cryptocurrency applications.
The malware is mainly distributed through malicious websites that impersonate popular applications such as TikTok or Google Chrome. Once installed, it may abuse Android permissions, including Accessibility Services, to interact with the device, monitor user activity, and perform malicious actions.
Unlike simple phishing campaigns, Rokarolla uses a more advanced approach. It can identify targeted apps on the infected device, display fake login screens over legitimate applications, capture credentials, intercept SMS messages, and support remote attacker commands.
Rokarolla is considered high risk because it directly targets sensitive financial data and can affect both traditional banking users and cryptocurrency holders.
Its main risk factors include:
This combination makes Rokarolla especially dangerous for users who rely on mobile banking or crypto wallets.
Rokarolla typically starts with social engineering. Victims are directed to fake websites that present malicious applications as legitimate downloads. After installation, the malware requests permissions that allow it to monitor and control sensitive device actions.
Once active, Rokarolla checks the infected device for targeted banking or cryptocurrency applications. When the victim opens one of these apps, the malware can display a fake overlay designed to capture login credentials, payment information, or other sensitive data.
From a threat intelligence perspective, the observed attack flow can be summarized as:
Phishing site → Malicious application download → Permission abuse → Target app detection → Fake overlay display → Credential or data theft → Exfiltration to command-and-control infrastructure
This attack chain shows why mobile banking threats must be monitored beyond the application layer. The risk often begins before the user reaches the legitimate banking app.
Rokarolla is a reminder that Android banking malware is becoming more advanced, more targeted, and more dangerous. With its focus on banking and cryptocurrency applications, phishing overlays, SMS theft, and device takeover capabilities, it represents a significant risk for both users and financial organizations.
Cybersecurity teams should not treat mobile threats as isolated incidents. They should be monitored as part of a broader external threat intelligence strategy.
Threats like Rokarolla show the importance of continuous monitoring, fast analysis, and actionable intelligence.
Want to strengthen your organization’s visibility against mobile malware, phishing, and financial cyber threats? Contact ThreatsEye to learn how our threat intelligence platform can help.
Author
ThreatsEye analysis covering cyber risk, threat intelligence, and practical security operations.
Keep Reading