Researchers at Zimperium's zLabs have uncovered a new Android banking trojan dubbed Rokarolla that targets 217 banking and cryptocurrency applications and wields an unusually large arsenal of 137 remote commands — giving attackers granular control over nearly every function on a compromised device.
What Rokarolla Can Do
Once installed on a victim's phone, Rokarolla operators gain access to a broad range of invasive capabilities. The malware can harvest lock-screen PINs, intercept and send SMS messages, and rewrite the device's clipboard to silently redirect cryptocurrency transactions to attacker-controlled wallets. It also has the ability to disable Google Play Protect, the built-in security mechanism that scans apps for malicious behaviour, effectively removing one of Android's primary defence layers.
The combination of PIN theft, SMS interception, and clipboard manipulation makes Rokarolla particularly dangerous. Attackers can intercept two-factor authentication codes sent via text message, unlock the device, and carry out unauthorised transactions — all without the victim's knowledge. For cryptocurrency users, the clipboard-rewriting feature poses a serious risk: copied wallet addresses can be swapped in real time, funnelling funds to the attacker.
Why 137 Commands Matter
The sheer volume of remote commands sets Rokarolla apart from many other Android trojans documented in recent years. Each command represents a discrete action the malware operator can trigger, from taking screenshots and keylogging to overlaying fake login screens on top of legitimate banking apps. This level of granularity suggests a well-organised development effort, possibly indicating that Rokarolla is being distributed as Malware-as-a-Service (MaaS), where paying customers can select specific modules and commands tailored to their targets.
According to Zimperium's zLabs team, the trojan's command-and-control infrastructure is designed for flexibility, allowing operators to adapt their attack strategies based on which apps are installed on the victim's device. The 217 targeted applications span traditional banking apps, payment platforms, and popular cryptocurrency wallets — a dual focus that reflects the growing convergence of conventional finance and digital assets in the threat landscape.
Implications for Mobile Security
Rokarolla's discovery highlights a continuing escalation in the sophistication of Android malware. The ability to disable Play Protect, combined with overlay attacks and SMS interception, creates a multi-layered assault that can bypass many of the standard protections everyday users rely on.
For IT security teams and mobile device administrators, the trojan reinforces the importance of defence-in-depth strategies. Relying solely on built-in platform protections is increasingly insufficient. Organisations should consider deploying dedicated mobile threat defence (MTD) solutions capable of detecting runtime behaviours such as overlay attacks and clipboard tampering, rather than relying exclusively on static app scanning.
End users, meanwhile, should remain cautious about installing apps from unofficial sources, grant only necessary permissions, and treat any unexpected prompts to disable security features as a red flag. Enabling biometric authentication where possible — rather than relying on SMS-based two-factor codes — adds another layer of protection against SMS interception campaigns of the kind Rokarolla facilitates.
As mobile malware continues to grow in both capability and ambition, Rokarolla serves as a pointed reminder that the smartphone in your pocket remains one of the most attractive targets for financially motivated attackers.
Zimperium 旗下 zLabs 的研究人員發現了一種名為 Rokarolla 的全新 Android 銀行木馬,該木馬瞄準 217 個銀行及加密貨幣應用程式,並配備了異常龐大的 137 條遠端指令軍火庫——讓攻擊者對受感染設備的幾乎所有功能獲得精細控制。
Rokarolla 的功能
一旦安裝在受害者的手機上,Rokarolla 的操作者便能獲取一系列廣泛的侵入能力。此惡意軟件可竊取鎖屏密碼、攔截及發送短訊,並能重寫設備的剪貼簿,以靜默方式將加密貨幣交易重定向至攻擊者控制的錢包。它還具備禁用 Google Play Protect(內建的安全機制,用於掃描應用程式的惡意行為)的能力,實質上移除了 Android 主要防禦層之一。
密碼竊取、短訊攔截及剪貼簿操控的結合,使得 Rokarolla 尤其危險。攻擊者可攔截透過短訊發送的雙重驗證碼、解鎖設備,並在受害者毫不知情的情況下進行未經授權的交易。對於加密貨幣用戶而言,剪貼簿重寫功能帶來嚴重風險:複製的錢包地址可被即時替換,從而將資金轉入攻擊者錢包。
137 條指令為何重要
龐大的遠端指令數量,使 Rokarolla 與近年記錄的許多其他 Android 木馬區別開來。每條指令代表惡意軟件操作者可觸發的一項獨立動作,從截圖、鍵盤記錄到在合法銀行應用程式上疊加虛假登入畫面。這種精細程度表明其開發工作井然有序,可能意味著 Rokarolla 正以惡意軟件即服務(MaaS)的形式分發,付費客戶可選擇針對其目標量身定制的特定模組和指令。
根據 Zimperium zLabs 團隊的說法,該木馬的指令與控制基礎設施設計靈活,允許操作者根據受害者設備上安裝的應用程式調整攻擊策略。其瞄準的 217 個應用程式涵蓋傳統銀行應用程式、支付平台以及流行的加密貨幣錢包——這種雙重焦點反映了傳統金融與數碼資產在威脅形勢中日益融合的趨勢。
對流動裝置安全的影響
Rokarolla 的發現凸顯了 Android 惡意軟件複雜程度的持續升級。禁用 Play Protect 的能力,結合覆蓋攻擊和短訊攔截,形成了一種多層次攻勢,能夠繞過普通用戶依賴的許多標準防護措施。
對於 IT 安全團隊和流動裝置管理員而言,此木馬強調了縱深防禦策略的重要性。僅依賴內建的平台防護已日漸不足。組織應考慮部署專門的流動威脅防禦(MTD)解決方案,其應具備偵測如覆蓋攻擊和剪貼簿篡改等運行時行為的能力,而非僅依賴靜態的應用程式掃描。
與此同時,終端用戶應對從非官方來源安裝應用程式保持謹慎,僅授予必要的權限,並將任何要求禁用安全功能的意外提示視為危險信號。在可能的情況下啟用生物特徵驗證(而非依賴基於短訊的雙重驗證碼),可為應對 Rokarolla 此類短訊攔截活動增添另一層防護。
隨著流動惡意軟件在能力與野心上持續增長,Rokarolla 作為一個尖銳的提醒:你口袋裡的智能手機,仍然是出於經濟動機的攻擊者最具吸引力的目標之一。