There is a new piece of Android malware that, once installed, does almost everything you do on your phone, and then some: it reads your texts, copies the codes your bank sends to confirm payments, photographs your screen, and swaps the wallet address when you try to send cryptocurrency. It is called Rokarolla, it targets 217 banking and crypto apps, and it ships with 137 commands to be run remotely.
What is alarming here is not the sophistication of the code, but the simplicity of the way in. Rokarolla does not break into your bank or crack anyone's encryption: it asks you for a permission and counts on you granting it. The key piece is a feature of Android itself, the Accessibility Services, built to help people who struggle to use a phone. Granted to the wrong app, that same feature can read the screen, tap the buttons, and fill in fields for you.
The case was documented by researchers at Zimperium in a report published on June 16. To get in, Rokarolla uses a fittingly ironic disguise: it arrives through websites posing as well-known apps like TikTok or Chrome, and the first thing the victim installs is a decoy that imitates Google Play Protect, the very antivirus that ships with Android. It is that fake protector that installs the rest and pulls the Accessibility permission.
From there, the phone stops being yours. When you open the real banking app, Rokarolla lays a fake login page over it, copied from the original, and saves everything you type into it, card details included. A separate fake window mimics the lock screen to hand over your PIN, which gives the attacker control of the device even while it is locked.
It reads and sends SMS, so it gets the one-time codes your bank sends; and by making itself the default app for texts and calls, it can even block the bank's warning call so it never reaches you. It logs what you type, photographs the screen frame by frame to avoid triggering the recording prompt, switches off Google Play Protect, and copies your contacts. And when you copy a crypto wallet address to paste it, it silently swaps it for the attacker's.
Why the code your bank texts you is no longer a shield
Here is the part that hits closest to home. Two-factor authentication by SMS, that one-time code your bank sends to confirm who you are, rests on a simple idea: even if they steal your password, they are missing the code that only reaches your phone. Rokarolla undoes that idea, because it lives inside the very phone that receives the code. When the thief controls the device that is supposed to prove you are you, the second factor stops being a second factor.
And this is not a distant problem. Zimperium notes that Rokarolla follows the same playbook as a wave of 2026 Android bankers, the programs that disguise themselves as trusted apps: decoys imitating real apps, Accessibility abuse, and fake pages laid over the genuine ones. It is because of this wave that Google is rolling out mandatory developer verification, which will block the installation of apps from unverified sources (first in a few countries, in 2026, and worldwide from 2027). The phone has become the safe where we keep our bank, our identity, and our money; it is only natural that it is where the thieves are aiming.
How to protect yourself
There is no fix to install here, because this is not a software flaw, it is malware. The defense does not take technical knowledge, it takes a couple of habits:
- Install apps only from the official store. A site asking you to "update Chrome" or "install TikTok" outside the Play Store is, almost always, the way in.
- Be suspicious of any Accessibility request. Very few legitimate apps need it; if an ordinary app asks for it, refuse and uninstall.
- Drop SMS-based two-factor where you can. An authenticator app or a passkey does not arrive by message and is not as easy to copy.
- Confirm the address before sending crypto. Check the first and last characters after pasting; that is where the swap happens.
- Keep Play Protect on and your phone updated. If something tries to switch it off, treat that as an alarm, not a detail.
There is an uncomfortable lesson at the center of this story. Rokarolla was built on purpose to defeat the very protections we are told to rely on, from the phone's antivirus to the lock screen. Its strongest weapon was not a clever trick, it was the permission it counts on you to give. That tap is the one worth thinking about twice.
Original source: Zimperium zLabs.
#StaySafe
🙏🖖
