Dateline: June 18, 2026
217 Apps in the Crosshairs: The Android Trojan Built for Full Device Takeover
You think you are grabbing TikTok or Chrome. What you actually get is malware that can read your texts, empty your bank app, and block the call your bank makes to warn you. That is RokaRolla, a new Android banking trojan, and it goes after 217 different apps.
What Happened?
Researchers at Zimperium’s zLabs team uncovered RokaRolla in June 2026. It is an Android banking trojan named after the servers that run it, and it was built for one thing: financial fraud with as little chance of getting caught as possible.
The malware does not show up on the Google Play Store. Instead, it spreads through spoofed websites that advertise free versions of popular apps like TikTok and Google Chrome. When you tap to download, you do not get the real app. You get a dropper that poses as Google Play Protect, Android’s own anti-malware tool. That fake screen makes the install feel safe.
Once it is on the phone, RokaRolla asks for big permissions. Accessibility access is the main one, plus access to your SMS, calls, and notifications. Because the requests look normal, plenty of people tap approve without thinking twice. After that, the trojan disables Play Protect and runs its full toolkit, a set of roughly 137 remote commands.
Here is where it gets nasty. When you open one of the 217 targeted banking or crypto apps, RokaRolla drops a fake login page right over the real one. Whatever you type, your username, password, card number, goes straight to the attackers. It pulls the same trick with a fake lock screen to grab your PIN and pattern.
The trojan also reads and sends your texts, which lets it grab one-time bank codes and slip past two-factor checks. It logs keystrokes, takes screenshots, swaps crypto wallet addresses on your clipboard, and blocks incoming calls so your bank cannot reach you about the fraud.
What Rokarolla Steals
Once it has control, almost nothing on the phone is private.
What’s the Impact?
This is more than a password grab. Security researchers say RokaRolla points to a bigger shift in Android attacks. Crooks are no longer happy stealing one login. They want the whole device.
Full control means they can drain accounts, move crypto, and stay hidden while doing it. Hiding the app icon, silencing alerts, and intercepting fraud calls all work together to keep victims in the dark. And because the malware is built to dodge older signature-based phone security, plenty of basic defenses miss it entirely.
How to Avoid This
- Stick to the Google Play Store and never install an app from a link sent by a website or message.
- Treat any app claiming to be Google Play Protect as a red flag, because the real one does not work that way.
- Never grant Accessibility access to an app you just downloaded, no matter how convincing the prompt looks.
- Keep Play Protect switched on and check it now and then to make sure nothing turned it off.
- Use an authenticator app instead of SMS codes where you can, so a stolen text does not unlock your accounts.
Past the Lock Screen: Where Mobile Fraud Really Gets Stopped
- Spot apps that abuse Accessibility permissions and overlay tricks before they reach users.
- Flag credential theft attempts early, so a stolen login does not turn into a drained account. Watch for SMS interception and OTP theft that quietly defeats two-factor protection.
- Catch device takeover patterns that older, signature-based tools tend to miss. Tie alerts to real context, so your team acts on actual fraud instead of chasing noise.
