New Rokarolla Android malware impersonates TikTok and Chrome to steal banking details, SMS codes and crypto credentials.

A dangerous new Android banking trojan is targeting mobile users by disguising itself as popular apps including Google Chrome and TikTok, before attempting to steal banking credentials, crypto wallet details and sensitive personal data.

The malware, known as Rokarolla, has been identified by security researchers as a highly invasive Android threat capable of targeting more than 200 banking and cryptocurrency applications. Once installed on a vulnerable device, it can give attackers extensive control over the phone and the information stored on it.

The campaign is a reminder that mobile malware does not always arrive through obvious spam or suspicious attachments. In this case, victims are being tricked into downloading fake versions of trusted apps from malicious websites. These apps are designed to look familiar, lowering suspicion and increasing the chance that users will follow installation prompts.

The attack is particularly dangerous because the malware does not stop at stealing a single password. Rokarolla can harvest lock screen credentials, access contacts, steal SMS data, record keystrokes and monitor what a user types into their device. It can also interfere with incoming calls, making it harder for banks, family members or support services to reach the victim while the attack is underway.

One of its most concerning features is its ability to abuse Android Accessibility permissions. These permissions are designed to help users interact with their devices, but when misused by malware they can allow attackers to observe activity, control parts of the device and place fake screens over legitimate apps.

Rokarolla uses this technique to target banking and crypto apps. When a victim opens one of the financial apps on its target list, the malware can display a fake login screen over the genuine app. The user may believe they are entering details into their bank or crypto wallet, when in reality those credentials are being captured by criminals.

The malware can also intercept SMS messages, a serious risk for users who still receive one time passcodes by text. If a criminal has both a victim’s login details and their SMS verification codes, they may be able to bypass common account protections and attempt fraudulent transactions.

Rokarolla’s operators have also built in stealth features to make detection harder. The malware may hide icons, suppress device sounds and impersonate trusted security tools. Reports indicate that part of the infection process involves a fake Google Play Protect prompt, designed to make the victim believe they are installing or enabling a legitimate Android security feature.

That tactic is especially effective because users are often told to trust security prompts. The problem is that cybercriminals now mimic those same prompts to create a false sense of safety.

The safest approach is to avoid downloading Android apps from random websites, unofficial app stores or links sent through messages and social media. Even if a site appears to offer a legitimate version of Chrome, TikTok or another popular app, users should go directly to the Google Play Store or the official developer website rather than following third party download links.

Android users should also be cautious when an app requests powerful permissions such as Accessibility access, SMS access, notification access or the ability to control calls. A video app, browser clone or unknown utility should not need broad control over the device. If an app asks for permissions that do not match its purpose, that should be treated as a warning sign.

Anyone concerned they may have installed a malicious app should act quickly. Disconnecting from the internet, removing suspicious apps, running a reputable mobile security scan and changing banking passwords from a separate trusted device are sensible first steps. If banking or crypto details may have been entered while the device was infected, users should contact their financial institution immediately.

It is also important to review account activity, check for unauthorised transactions and update passwords across any services that may have been exposed. Where possible, users should move away from SMS based authentication and use app based multi factor authentication or hardware security keys.

This threat also highlights a broader cybersecurity issue. Attackers are relying on users making fast decisions without fully understanding the risks. A fake app, a familiar icon, a convincing permission request or a security prompt can be enough to compromise a device.

Technical protections matter, but user knowledge is often the deciding factor. Knowing where to download apps, how to recognise suspicious permissions and what to do when something feels wrong can dramatically reduce the chances of becoming a victim.

To improve your cybersecurity defences, start by improving your knowledge. The Hack Academy’s online training programme is designed to help users understand modern cyber threats, recognise warning signs and build practical skills to protect themselves online.

Do not wait until a fake app, stolen password or compromised device puts your personal data at risk. Strengthen your cyber awareness today with The Hack Academy and take control of your digital security.

Photo Credit: DepositPhotos.com