New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Zimperium's zLabs has identified Rokarolla, a new Android banking trojan that compromises 217 banking and cryptocurrency applications. The malware executes 137 distinct remote commands, granting operators extensive control over infected devices.

Rokarolla steals lock-screen PINs and intercepts SMS messages, enabling attackers to bypass two-factor authentication protections. The trojan modifies device clipboard contents to redirect cryptocurrency transfers to attacker-controlled wallets. It disables Google Play Protect, removing a critical security layer that would otherwise detect malicious activity.

The malware's scope extends across major financial institutions and crypto platforms. By controlling clipboard operations, Rokarolla captures payment addresses users intend to send funds to and replaces them with attacker addresses. Victims believe they are transferring cryptocurrency to legitimate recipients while their funds route to attackers instead.

SMS interception poses particular risk to authentication schemes relying on one-time passwords. Attackers can receive verification codes meant for legitimate account access, then use them to compromise banking portals and crypto exchange accounts. PIN theft allows direct access to device security features, enabling attackers to modify settings, install additional malware, or wipe forensic evidence.

The 137 remote commands indicate a modular architecture. Operators can selectively activate capabilities based on target profile, making detection more difficult. Some infected devices may show minimal suspicious activity while supporting extensive command-and-control functionality.

Android users face infection through third-party app stores, malicious advertisements, or compromised legitimate applications. Zimperium researchers did not disclose active distribution channels at publication.

Organizations managing Android device fleets should require updated security software and restrict third-party app installation. Individual users should download applications exclusively from Google Play and enable Google Play Protect. Financial institutions should alert customers to exercise caution with unsolicited messages requesting verification codes or