New Rokarolla Android Malware Steals PINs, SMS Codes, and Crypto Wallet Funds

Security researchers at Zimperium's zLabs have documented a new Android banking trojan, Rokarolla, that targets 217 banking and cryptocurrency apps and packs 137 remote commands. Together, they give an operator near-total control of an infected phone: it lifts lock-screen PINs, reads and sends SMS, rewrites the clipboard to redirect crypto payments, and switches off Google Play

According to Zimperium and follow-on reporting, the Rokarolla Android banking trojan targets 217 banking and cryptocurrency apps, using 137 remote commands to gain near-complete control of infected devices, including stealing lock-screen PINs, intercepting SMS/OTP codes, hijacking clipboards to reroute crypto payments, and disabling Google Play Protect.[3][4][5] These capabilities are designed to facilitate large-scale financial fraud and covert account takeover against mobile banking and crypto users.[3][4][5] From a CyberSE.AI perspective, any fintech or crypto platform that relies on mobile apps, SMS-based authentication, or clipboard-based wallet use should treat this as a critical signal to harden authentication flows, transaction verification, and anomaly detection against device-compromise scenarios. CyberSE.AI can help by assessing AI- and rules-driven fraud detection and mobile security controls (AI Security Readiness Assessment) and auditing app and backend business logic—especially authentication, transaction signing, and high-risk action flows—to ensure they assume hostile devices and degraded out-of-band channels (AI Agent Business Logic Audit).