Zimperium security researchers disclosed Rokarolla, a new Android banking trojan that targets 217 banking and cryptocurrency applications through dynamically downloaded overlay payloads matched to each victim’s installed app portfolio. The malware operates with a 137-command remote command-and-control framework — with the full command list published by Zimperium in a public GitHub repository — and suppresses fraud detection by blocking bank calls and alert messages from reaching infected devices.
How Rokarolla’s Dynamic Overlay System Covers 217 Banking and Crypto Targets
Rokarolla distributes through malicious websites posing as legitimate app stores, delivering fake Chrome or TikTok installer packages that install the trojan on the victim’s device. The malware was not found on the Google Play Store.
Once installed, Rokarolla does not carry its overlay payloads statically. Instead, it identifies which banking and cryptocurrency applications are installed on the victim’s device and downloads the corresponding overlay screens for those specific applications. This dynamic approach maximizes credential coverage across the 217 targeted applications while minimizing the static malware footprint — the full target list is not embedded in the malware binary that would be examined during analysis.
Overlay Attacks, PIN Capture, and the Call-Blocking Fraud Suppression Mechanism
Credential theft uses fake overlay screens displayed over legitimate banking and cryptocurrency application interfaces. When a victim opens one of the 217 targeted apps, Rokarolla presents a convincing fake login screen that captures entered credentials before they reach the real application.
Separately, Rokarolla captures device lock screen PINs and patterns through screen recording. The combination of app credential overlays and lock screen capture gives attackers access to both banking credentials and the device-level authentication protecting those accounts.
The call-blocking component is particularly effective at extending the fraud window. Banking fraud departments frequently call customers to verify unusual transaction activity. Rokarolla blocks incoming calls from banks and silences bank alert SMS messages before they reach the victim — creating a window during which fraudulent transactions can complete without triggering the real-time verification that would alert the customer or halt the transaction.
Rokarolla’s 137-Command C2 Framework and Post-Compromise Persistence
Zimperium published Rokarolla’s complete 137-command C2 framework in a public GitHub repository. Documented capabilities include keystroke logging, screenshot capture with timestamps, clipboard monitoring, SMS exfiltration, WhatsApp contact harvesting, and persistent screen activation to prevent device lock during active attack sessions.
Evasion mechanisms include disabling Google Play Protect — Android’s built-in malware scanner — hiding the application icon after installation to prevent manual removal by the victim, and silencing audio notifications to avoid alerting the user to ongoing activity. The combination of icon hiding and Play Protect disabling creates a persistent, concealed foothold that a non-technical user has no straightforward path to detect or remove through standard device settings.
The Structural Advantage of Dynamic Overlay Selection for Targeting Scale
The dynamic overlay delivery model represents a deliberate design choice that provides Rokarolla’s operators with operational advantages over static banking trojans. A static trojan with hardcoded overlays for 217 applications is a larger binary with a larger detection surface — its target list is embedded in the malware and immediately revealed to analysts who examine a sample.
Rokarolla’s approach inverts that exposure. The malware binary is lean and its targeting intentions are partially concealed; the overlay payloads for the victim’s specific installed apps are downloaded after infection, tailored to that individual device. An analyst examining a sample from one victim sees only the overlays relevant to that victim’s banking apps, not the full 217-application target list.
The 137 C2 commands give Rokarolla’s operators extensive control over infected devices beyond credential theft — from SMS routing and clipboard access to persistent screen control that can keep a device awake and active during attack operations. The full scope of the campaign, including the geographic distribution of targets and whether specific banking institutions are primary targets, was not detailed in Zimperium’s initial disclosure.
