Zimperium: Rokarolla Android banking trojan targets 217 apps with full device takeover

Zimperium zLabs detailed Rokarolla, a new Android banking trojan distributed via sideloading from sites impersonating TikTok/Chrome, using a dropper that masquerades as Google Play Protect to obtain Accessibility Service permissions (Zimperium zLabs, 2026-06-16). It targets 217 banking and crypto apps via a 137-command framework: lifting the lock-screen PIN, intercepting SMS OTPs, rewriting the clipboard to hijack crypto payments, disabling Play Protect, and — distinctively — registering itself as the default call/SMS handler so a bank's warning call or SMS never reaches the victim (BleepingComputer, 2026-06-16). A target list of this breadth makes any Android device used for e-banking a plausible victim once an app is sideloaded.

Why it matters to us: Rokarolla cannot reach the Play Store; it relies entirely on sideloading. Enforce "Install from Unknown Sources" restrictions via Android Enterprise/MDM on managed devices and MAM containers for BYOD; flag any app that disables Play Protect or requests Accessibility Service immediately after a web-sourced install.