Hackers Use Rokarolla Banking Trojan to Intercept SMS Codes and Steal Crypto Credentials

A newly discovered Android banking trojan called Rokarolla has been making waves across the cybersecurity community, targeting victims by posing as well-known, trusted applications.

The malware goes after banking and cryptocurrency users with a level of sophistication that puts it firmly in a different category from typical mobile threats.

Security experts say it is one of the more complete mobile fraud platforms seen in the Android malware space so far this year.

Rokarolla spreads through malicious websites carefully designed to look like legitimate software download portals.

Victims are tricked into installing what appears to be a trusted app, including fake versions of TikTok, Google Chrome, and even Google Play Protect.

Once installed, the trojan silently requests deep system permissions, setting the stage for a wide range of data theft and fraud operations.

Researchers at PolySwarm, who shared a report with Cyber Security News (CSN), identified the malware and noted that Rokarolla targets at least 217 banking and cryptocurrency applications .

The malware exposes at least 137 operator commands, giving attackers a powerful and flexible toolkit for compromising victim devices . The scale and structure of its targeting list point clearly to a financially motivated operation designed to maximize opportunities for fraud.

Beyond stealing login credentials, the trojan collects device unlock PINs and passwords, intercepts SMS messages including one-time passcodes, and blocks fraud alert calls before victims ever see them.

Its ability to combine so many capabilities into a single package makes detection and response considerably harder. Users may have no idea their device has been compromised until serious financial damage has already been done.

The malware also supports multiple fallback command-and-control domains, meaning that even if investigators take down one server, the operation keeps running.

It can dynamically pull updated configurations from attacker infrastructure, keeping its phishing content and target list current. This kind of built-in resilience is a clear sign that the group behind Rokarolla planned for long-term, sustained campaigns.

Hackers Use Rokarolla Banking Trojan

Rokarolla’s most dangerous trick is its use of HTML-based phishing overlays that appear directly on top of legitimate banking and cryptocurrency applications.

When a user opens a targeted app, the malware instantly displays a fake login screen that looks nearly identical to the real one. Without close inspection, most users would simply type in their credentials, handing them straight to the attacker.

The malware also abuses Android Accessibility Services to automate actions, read on-screen content, and interact with apps without the user noticing.

This lets it silently log keystrokes, extract on-screen text, and harvest contact information from apps like WhatsApp.

Researchers noted that clipboard monitoring is also active, meaning the trojan can swap out a copied cryptocurrency wallet address with one controlled by the attacker before a transfer is confirmed .

SMS Interception and Device Surveillance Capabilities

One of the most alarming features of Rokarolla is its ability to intercept SMS messages in real time, capturing one-time passcodes that many banks and crypto platforms use for two-factor authentication.

By grabbing these codes the moment they arrive, attackers can bypass account security even when victims have extra protections turned on.

This makes it effective against services that many users once considered relatively safe. The malware takes periodic screenshots of the device and transmits them compressed to its control servers, allowing operators to visually monitor victim activity over time .

It can also block or intercept incoming phone calls, preventing banks from reaching customers with fraud warnings.

Security experts recommend avoiding app downloads from unofficial websites, exercising caution when granting Accessibility Service permissions, and monitoring your device for unexpected permission changes or unexplained battery drain .

Defenders are advised to watch closely for unauthorized Accessibility Service usage, suspicious overlay behavior, and unexpected SMS handler modifications as early warning signs.

Organizations managing mobile device fleets should treat any app sideloaded outside of official stores with serious scrutiny. Early detection remains the most effective line of defense against highly persistent threats like Rokarolla.

Indicators of Compromise (IoCs):-

Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.