HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Rokarolla Android Trojan Harvests Credentials from 217 Banking and Crypto Apps

A new Android trojan, Rokarolla, disguises itself as legitimate apps, disables Play Protect, and uses Accessibility Services to overlay fake login screens on 217 banking and cryptocurrency applications, stealing credentials. This highlights the need for robust SOC 2 access‑control monitoring and security‑awareness programs.

LiveThreat™ Intelligence · 📅 June 17, 2026· 📰 securityaffairs.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
securityaffairs.com

Rokarolla Android Trojan Harvests Credentials from 217 Banking and Crypto Apps

What Happened — Researchers at Zimperium’s zLabs disclosed a new Android banking trojan, Rokarolla, that spreads via malicious web pages masquerading as popular apps (e.g., TikTok, Chrome). Once installed, the dropper disables Google Play Protect, gains Accessibility Services permission, and overlays fake login screens on 217 targeted banking and cryptocurrency applications to steal credentials, card numbers, and even lock‑screen PINs.

Why It Matters for Compliance & Audit Readiness

  • The attack demonstrates a classic credential‑compromise scenario that SOC 2 CC6.1 (Logical Access Controls) is designed to prevent and evidence.
  • Continuous monitoring of mobile device configurations and access‑control logs provides the audit‑ready proof that unauthorized Accessibility permissions are not granted.
  • Security awareness training that covers malicious‑website vectors and fake‑app lures helps satisfy CC6.2 (Security Awareness) and reduces the likelihood of user‑initiated installations.

Who Is Affected — Financial services firms (banks, crypto exchanges), mobile‑app developers, and any organization whose employees use Android devices to access sensitive financial applications.

Recommended Actions

  • Enforce a policy that blocks installation of apps outside approved enterprise app stores and disables Accessibility Services for non‑essential apps.
  • Deploy mobile‑device‑management (MDM) solutions that continuously collect and retain logs of permission changes as SOC 2 evidence.
  • Conduct targeted security‑awareness training on malicious‑website downloads and the risks of granting Accessibility access.
  • Validate that Google Play Protect (or equivalent) remains active on all managed devices and monitor for attempts to disable it.

Technical Notes – Rokarolla is delivered via malicious URLs (e.g., infocontablidades.it.com), uses a dropper that mimics Play Protect, obtains Accessibility Services, injects UI overlays, captures credentials in a local SQLite DB, and exfiltrates data to C2 servers. No public CVE is associated; the threat relies on Android permission abuse rather than a software vulnerability. Source: SecurityAffairs

📰 Original Source
https://securityaffairs.com/193745/cyber-crime/new-rokarolla-android-trojan-targets-217-banking-and-crypto-apps.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →