Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices
A newly discovered Android banking trojan called Rokarolla is making waves in the cybersecurity world, and it is more dangerous than most threats we have seen lately.
This malware is built to take full control of an infected device while staying completely hidden from the user. Its reach is staggering, with over 217 banking and cryptocurrency applications currently in its crosshairs.
Rokarolla spreads through fake websites that trick users into downloading what appears to be a legitimate app.
The malware disguises itself as well-known applications like TikTok or Google Chrome, making it very easy for unsuspecting users to install it without any suspicion. Once it lands on a device, a dropper component quietly installs the core malicious payload in the background.
Researchers at Zimperium identified this threat through deep technical analysis conducted by their zLabs team, with the findings shared in a report with Cyber Security News (CSN).
The trojan is actually named after its own command and control infrastructure, giving researchers a unique trail to follow. The team found that the malware uses 137 distinct commands to carry out its operations on infected devices.
The scale of what Rokarolla can do is alarming even for seasoned security professionals. It captures lock screen PINs and passwords using fake overlays, silently reads all SMS messages, and logs every keystroke on the device.
All of this stolen data gets sent back to attacker-controlled servers without the victim ever knowing it happened. One of the most concerning aspects of this trojan is how aggressively it covers its tracks.
It hides its app icon from the device drawer, mutes all sounds and vibrations to mask bank alert notifications, and even forces the screen to stay on so its automated tasks are never interrupted. For anyone with sensitive financial apps on their phone, this threat is a serious wake-up call.
Hackers Use Rokarolla Android Malware
Rokarolla goes out of its way to kill Android’s built-in security layer before settling in. It uses specific commands including disable_google_play and protectorgoogle_disable to strip away Google Play Protect, effectively leaving the device blind to further threats.
With that protection gone, the malware gains a wide-open path to carry out its full range of malicious activities.
The trojan abuses Android’s Accessibility Services, a feature normally used to help people with disabilities, to interact with the screen on behalf of the attacker.
It maps out every UI element, monitors active apps, and injects fake login pages on top of real banking apps to steal credentials. When a user thinks they are logging into their bank, they are actually handing their details directly to the attacker.
The malware also employs a snapshot-based screen monitoring method rather than the more common live screen casting approach. It captures screenshots at regular intervals, compresses them, and transmits them with timestamps to remote servers.
This gives attackers a near-real-time view of everything happening on the victim’s device.
Silent Data Theft and Command Control Infrastructure
Rokarolla is equally dangerous when it comes to stealing data beyond login credentials. It intercepts SMS messages including bank OTPs, blocks incoming calls from financial institutions, and silently overwrites clipboard content to redirect cryptocurrency wallet addresses.
The attacker can redirect a financial transaction without the user ever noticing the switch. The malware communicates with its command and control servers over HTTPS to blend in with normal traffic.
It sends a full device profile on first contact, including hardware details, battery status, and storage information, to generate a unique bot ID. The malware also supports multiple fallback domains and can dynamically switch between them if one gets blocked.
To stay safe, users should avoid installing apps from outside the official Google Play Store and be very cautious about granting Accessibility Service permissions to any application.
Keeping Android security patches up to date and using a mobile threat defense solution can significantly reduce the risk of infection from threats like Rokarolla.
Indicators of Compromise (IoCs):-
The following IoCs were identified in the Zimperium zLabs research report.
| Type | Indicator | Description |
|---|---|---|
| URL | hxxps[://]infocontablidades[.]it[.]com/ |
Primary malware distribution site masquerading as TikTok or Google Chrome |
| Domain | beralisvc[.]info |
C2 fallback domain used for malware communication |
| Domain | blestorians[.]cfd |
C2 fallback domain used for malware communication |
| Domain | abiorime[.]cfd |
C2 fallback domain used for malware communication |
| Domain | morevoms[.]cfd |
C2 fallback domain used for malware communication |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Hackers Use Rokarolla Android Malware to Disable Google Play Protect and Control Devices appeared first on Cyber Security News.
Tushar Subhra Dutta
Go to cyber-security-news