Rokarolla: Analyzing the 217-App Android Banking Trojan
Has anyone else dug into the Zimperium report on the new Rokarolla trojan? It’s targeting 217 banking and crypto apps with a staggering 137 remote commands. The functionality to rewrite the clipboard for crypto wallet redirection is particularly aggressive—it effectively bypasses the user’s vigilance during transactions.
The malware seems to rely heavily on abusing Android Accessibility Services to auto-grant permissions and overlay attacks. Given that it disables Google Play Protect immediately upon infection, standard AV defenses are likely blind to it.
For those managing mobile fleets, checking for suspicious accessibility service usage is a solid first step. If you are analyzing APKs, you can use androguard to check for the dangerous combination of Accessibility and SMS permissions:
from androguard.misc import AnalyzeAPK
def check_trojan_indicators(apk_path):
a, d, dx = AnalyzeAPK(apk_path)
perms = a.get_permissions()
# Check for high-risk permission combo
has_accessibility = "android.permission.BIND_ACCESSIBILITY_SERVICE" in perms
has_sms = "android.permission.RECEIVE_SMS" in perms
if has_accessibility and has_sms:
return f"[!] Potential Rokarolla Variant: {a.get_package()}"
return "[+] No immediate indicators found"
Is anyone else seeing indicators of this targeting specific regions, or is the distribution global so far? How are you handling the detection of Accessibility abuse on BYOD devices?
The clipboard hijacking feature is the real kicker here. It effectively renders 2FA via SMS useless for the crypto transfer itself if the user copies the address. We've started enforcing FIDO2 hardware keys for our finance team to mitigate this exact vector. Software-based 2FA just isn't cutting it against these modern trojans.
I'm curious about the C2 infrastructure. With 137 commands, the traffic footprint must be unique. We are currently testing a KQL rule to catch devices toggling off Play Protect and then hitting unknown IPs shortly after:
DeviceEvents
| where ActionType == "PlayProtectStateChange"
| where AdditionalFields contains "disabled"
| join kind=inner DeviceNetworkEvents on DeviceId
| where RemoteIP !in (SafeIPList)
This looks like an evolution of the Xenomorph/Brokerody families we saw last year. The focus on crypto apps suggests the threat actors are shifting priorities from pure banking credentials to direct wallet theft. We are blocking all third-party app stores via MDM, but social engineering remains the hardest vector to patch.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access