The Rokarolla Android banking trojan has evolved beyond basic credential theft to deliver comprehensive device control, combining banking fraud with extensive surveillance capabilities and a 137-command remote control framework, making it one of the most feature-rich Android banking trojans disclosed in 2026.
Security researchers published analysis of the malware’s expanded capabilities Tuesday, documenting a trojan that targets 217 banking and cryptocurrency applications with automated overlay attacks, screen recording for PIN capture, call suppression, and WhatsApp contact harvesting.
The 137-Command C2 Framework: Remotely Controlled Device Access
Rokarolla’s command and control framework includes 137 distinct commands that give operators comprehensive remote device access. The capabilities include screen recording for PIN capture, fake overlay attacks targeting 217 banking and cryptocurrency applications, call blocking to suppress fraud alerts, WhatsApp contact harvesting, clipboard monitoring, and persistent screen activation during attack sessions.
The targeting list of 217 applications demonstrates premeditated, broad-scope credential harvesting. The malware automatically customizes overlay screens based on which banking apps are installed on the victim’s device, meaning the trojan adapts its approach individually to each infection.
The call-blocking capability is particularly effective at suppressing fraud detection, creating a window for fraudulent transactions before banks or customers become aware of the compromise.
Distribution Through Malicious Sites and Third-Party App Stores
The malware spreads through malicious websites that pose as legitimate Chrome and TikTok installers. Distribution channels include third-party app stores and malicious advertisements rather than the Google Play Store.
The evolution of Rokarolla from a simple keylogger to a full-device-control platform illustrates how quickly mobile banking trojans can mature once initial distribution channels are established. The 217-application targeting scope and the 137-command C2 framework indicate a level of operational investment that suggests the campaign is designed for sustained, large-scale operations rather than opportunistic attacks.
