Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Rokarolla Android banking trojan activity

Malware Activity
First reported
Last updated
Happening score
H score 27
2 unique sources, 2 articles

Summary

Hide ▲

The Rokarolla Android banking trojan is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fraud from banks. It targets 217 banking and cryptocurrency apps and uses 137 commands to manage calls, texts, overlays, and screenshots. The malware spreads through malicious sites posing as TikTok or Google Chrome, then abuses Accessibility Services and default SMS/call handling to isolate victims and suppress alerts.

Related Happenings

NFCShare fake banking-app update phishing campaign

Campaign
H score40 First: 09.06.2026 01:11 Last: 09.06.2026 01:11 Sources 1

About this happening: The **NFCShare** phishing campaign is using **fake banking-app updates** on **GitHub** to steal **payment card data** from customers of multiple banks across **Europe**, expanding...

Open Happening

BTMOB Android MaaS platform expands low-code phishing payload production

Threat Actor Meta
H score21 First: 29.05.2026 00:10 Last: 29.05.2026 00:10 Sources 1

About this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...

Open Happening

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

Open Happening

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Open Happening

FakeWallet Apple App Store wallet-stealing apps

Malware Activity
H score21 First: 21.04.2026 00:52 Last: 21.04.2026 00:52 Sources 1

About this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...

Open Happening

Timeline

  1. 16.06.2026 16:15 3 articles · 2h ago

    Rokarolla Android banking trojan targets calls, texts, and fake login overlays

    Initial Disclosure

    Rokarolla is a newly discovered Android banking trojan that uses malicious lookalike sites and a fake Google Play Protect dropper to infect devices, then abuses Accessibility Services, default call and SMS handling, fake overlay login pages, clipboard rewriting, and timestamped screenshots to steal banking and cryptocurrency credentials, one-time codes, and other data while hiding alerts and isolating victims from their banks.

    Show sources
    Open in new tab