Security researchers have uncovered a sophisticated Android trojan called Rokarolla that gives criminals near-total control of an infected phone. The malware disguises itself as popular apps like TikTok or Chrome, then tricks victims into granting accessibility permissions. Once inside, it can steal your lock-screen PIN by watching as you type it, read and send SMS messages (including two-factor authentication codes), and redirect cryptocurrency payments to criminal wallets by silently rewriting your clipboard. It can also disable Google Play Protect to block security scans.
Rokarolla spreads through malicious websites posing as legitimate app stores — not through Google Play itself. It uses fake login pages that look exactly like your banking or crypto apps to harvest credentials. Researchers found it targeting over 200 banking and cryptocurrency applications, making it a serious threat to anyone who manages money on their Android phone.
How to check if you’re affected
Affected devices are any Android phones or tablets where an unfamiliar app requested accessibility permission, or where Google Play Protect appears disabled. To check: open Settings → Accessibility → Installed apps and look for anything unexpected. Also open Google Play → Play Protect and confirm it shows “No harmful apps found.” If Play Protect is turned off and you didn’t do it, treat that as a red flag.