Rokarolla device-profiling targeting campaign
Campaign
Summary
Hide ▲
Show ▼
The Rokarolla Android campaign now profiles infected devices to assign a unique identifier to each victim, enabling repeated tracking and coordinated financial-fraud activity across compromised phones.
Related Happenings
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
How related:
A new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityHow related: A new Android banking trojan named Rokarolla is targeting 217 banking and cryptocurrency applications using an extensive set of 137 commands.
About this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
BTMOB phishing campaign targeting Brazil and Latin America
Campaign
H score39
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
BTMOB phishing campaign targeting Brazil and Latin America
CampaignAbout this happening: **BTMOB** phishing activity is using localized fake-app lures to target users in **Brazil** and **Latin America**, increasing the risk of malicious installs and account compromise...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor Meta
H score21
First: 29.05.2026 00:10
Last: 29.05.2026 00:10
Sources 1
About this happening:
**BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
BTMOB Android MaaS platform expands low-code phishing payload production
Threat Actor MetaAbout this happening: **BTMOB** has been exposed as a **malware-as-a-service** Android trojan with a **builder interface**, making it easier for cybercriminals to mass-produce tailored phishing payload...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
GoldFactory Southeast Asia mobile fraud campaign using modified banking apps
Campaign
H score38
First: 04.12.2025 11:27
Last: 04.12.2025 11:27
Sources 1
About this happening:
GoldFactory has launched a **fresh mobile fraud campaign** against users in **Indonesia, Thailand, and Vietnam**, using **government impersonation** and **modified banking apps**...
GoldFactory Southeast Asia mobile fraud campaign using modified banking apps
CampaignAbout this happening: GoldFactory has launched a **fresh mobile fraud campaign** against users in **Indonesia, Thailand, and Vietnam**, using **government impersonation** and **modified banking apps**...
Timeline
-
16.06.2026 23:04 2 articles · 3h ago
Rokarolla Android banking trojan targets 217 banking and cryptocurrency apps
Initial DisclosureRokarolla is targeting 217 banking and cryptocurrency applications with 137 commands, using malicious websites that pose as Google Chrome or TikTok installers and a dropper that impersonates Google Play Protect. The malware requests Accessibility service permissions plus access to notifications, SMS, and calls, then profiles each infected device to generate a unique identifier for the victim and display fake login overlays for credential theft and financial fraud.
Show sources
- New Rokarolla Android malware targets 217 banking, crypto apps — www.bleepingcomputer.com — 16.06.2026 23:04
- New Rokarolla Android malware targets 217 banking, crypto apps — www.bleepingcomputer.com — 16.06.2026 23:04