Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

Stop a Breach: 1800 203 6701

Solution

Compliance
Security
Privacy
SISA One Platform
Why SISA
SISA Institute
Resources
Company
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

SISA INSTITUTE

Training & Workshops
Payment Data Security Programs
CPISI
CPISI - Hybrid
CPISI - Advanced
CPISI - D
Quantum Security
AI Security
CP3
Get Certified
Application
Certifications
Advisory Groups
Certification Policies
Certification Support
Workshop Calendar
Training and Certification Store

RESOURCES

Case Studies
White Papers
Media Coverage
Blogs
Executive Perspective
News Room
Weekly Threat Watch
Monthly Threat Brief
Infographics
Webinars
Infosec Reports

COMPANY

About Us
Our Leadership
Careers
Corporate Social Responsibility
Elevating Communities
Stewarding Our Planet
Diversity & Inclusion

Solution

Compliance
Security
Privacy
India
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Unified Audits
Managed Compliance

SOLUTION

SECURITY

ProACT Agentic SOC
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike
Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Quantum Security

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR
Compliance
Security
Privacy
All Menu

SOLUTION

COMPLIANCE

Payment Security
PCI DSS Compliance
PCI PIN
PCI 3D Secure (3DS)
PCI P2PE Compliance
PCI S3
PCI S-SLC
PCI MPoC
SWIFT
Strategy & Risk
HIPAA
ISO Management System Services
NIST
SOC Compliance
HITRUST Certification
Information Security Risk Assessment
CSA STAR Assessment & Certification
Crisis Management Exercise
Indian Regulatory Cybersecurity Audit & Assurance Services
Managed Compliance
Unified Audits

SOLUTION

SECURITY

Security Testing
Application Security Testing
Web Application Penetration Testing
API Security Testing
Mobile Application Security Testing (Android & iOS)
Secure Code Review (Manual + Automated)
Threat Modeling & Architecture Review
Thick Client Application Penetration Testing
Cloud & Container Security
Cloud Security Assessments (AWS, Azure, GCP)
Active Directory Pen Testing (On Prim, Cloud)
Kubernetes Security Testing
Container Image & Runtime Security
Cloud Architecture & IAM Review
Infrastructure & Network Security
Network Vulnerability Assessment (Internal & External)
Network Penetration Testing (Internal & External)
Server Configuration Review (Windows, Linux, Unix)
Firewall & Network Device Configuration Review
Wireless Security Testing
PCI ASV Scanning
Adversary-Led Ransomware Simulation
Post-Compromise Attack Path Mapping
Privilege Escalation & Defense Evasion
Lateral Movement & Asset Discovery
Ransomware Execution Simulation
Detection, Response & Recovery Validation
IoT Security Testing
Red Teaming
Red Team Engagements
Adversary Simulation & Threat Emulation
Assumed Breach Assessments
Social Engineering & Phishing
Purple Team Exercises
Digital Forensics & IR (DFIR)
Payment Forensics Investigation
Internal Forensic Investigation
Acquirer Led Investigation
Ransomware Incident Response
Breach and Attack Simulation
Compromise Assessment
Cloud Forensics
DFIR Retainer Services
Digital Threat Report
Forensic Resilience Assurance
ProACT Agentic SOC
Quantum Security
PRISM
Prism Observe
Prism Discovery
Prism Secure
Prism Strike

SOLUTION

PRIVACY

Data Protection and Governance
Data Discovery and Classification Tool
Data Discovery Tool
Data Classification Tool
Data Privacy Consulting Services
DPDPA (India) Compliance Consulting
GDPR

Page Name

Lorem ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Blog
June 24, 2026
2
MIN READ
Rokarolla and the Hostile Handset

Share this post

TABLE OF CONTENT

TABLE OF CONTENT

In mid-June 2026, Zimperium’s zLabs research team disclosed a new Android banking trojan called Rokarolla. The headline numbers are striking — it targets 217 banking and cryptocurrency apps and ships with 137 remote commands — but the numbers aren’t the real story. The real story is intent. Rokarolla is built, feature by feature, to neutralize the exact defenses we tell customers to rely on: Google Play Protect, the device lock screen, and the one-time passcode.

When a single piece of malware can disable Play Protect, fake your lock screen, read your OTP texts, and silence the fraud-alert call from your bank — all at once — the comfortable assumption that “our app is secure, so our customers are safe” quietly stops being true.

How Rokarolla works — the version that matters to decision-makers

You don’t need to be a malware analyst to grasp why this one is significant. The attack chain is disciplined:

  • Delivery by deception. It spreads from malicious websites posing as popular apps like TikTok or Chrome. The first thing the victim installs is a dropper disguised as Google Play Protect — Android’s own security brand turned into bait — which then side-loads the real payload.
  • The single permission that unlocks everything. The entire playbook hinges on Android Accessibility Services. Once granted, the malware can read the screen, inject input, and automate actions on the user’s behalf.
  • Overlays for theft. For each targeted banking or wallet app, it pulls a fake HTML login page from its server and paints it over the real app the moment the victim opens it — capturing credentials and card data. A separate overlay imitates the Android lock screen to harvest the PIN, pattern, or password, which lets the operator drive the device even while it is locked.
  • OTP and alert suppression. It reads and sends SMS, so it quietly lifts the one-time codes that authorize logins and transfers. By making itself the default call handler, it blocks incoming calls — so the bank’s fraud-prevention call never rings — and it mutes audio and vibration so notification cues stay silent.
  • Total surveillance. Keylogging, on-screen-content capture, contact harvesting, and snapshot-based screen surveillance give the operator a near-complete view of the device. Clipboard hijacking silently swaps a copied crypto wallet address for the attacker’s.
  • Staying hidden. It conceals its own icon, forces the screen to stay awake to keep its overlays running, maintains multiple fallback command-and-control domains, and actively tries to switch Play Protect off.

Zimperium did not attribute Rokarolla to a known group, and the report documents capabilities rather than confirmed infection counts. But the design pattern — fake-app dropper, Accessibility abuse, HTML overlays, OTP theft — is the same one running through a wave of 2026 Android bankers. That is precisely why it deserves a board-level read, not a footnote in the threat feed.

Why this should worry every bank and fintech — not just the named apps

Here is the part that is easy to miss: Rokarolla does not exploit a flaw in your banking app. There is no patch to apply, because nothing in your code is “broken.” It attacks the environment your app runs in — the customer’s phone — and turns the operating system’s own features against the user. That reframes the risk in three ways:

  1. Account takeover survives your 2FA. If the attacker can read the OTP, mirror the login screen, capture the PIN, and suppress the fraud call, then SMS-based step-up authentication — still the backbone of most mobile banking flows — offers far less protection than the risk models assume.
  1. The blast radius is your whole customer base, not a vulnerability count. Exposure scales with how many customers run Android and side-load apps or grant Accessibility prompts without scrutiny — a behavioral and environmental risk you cannot close from the server side.
  1. The liability and trust questions land on you anyway. When a customer is defrauded through their banking app — even if their device was compromised — the complaint, the chargeback, the regulator’s question, and the reputational hit all arrive at the bank’s door.

The strategic conclusion is uncomfortable but clarifying: design and test your mobile app on the assumption that the customer’s device is already compromised. Not “could be.” Is.

What banks and fintechs can actually do

Defending against a hostile-device adversary is a layered, app-resident problem. The controls that matter most:

  • Overlay and tapjacking defenses — detect when another app draws over yours, and set protective flags so sensitive screens refuse interaction when they are obscured.
  • Accessibility-abuse detection — identify when Accessibility services are being used to read or drive your app, and respond by warning, restricting, or blocking high-value actions.
  • Anti-keylogging and secure input — use protected input paths for PIN and credential entry rather than trusting the standard keyboard surface.
  • Screen-capture and screenshot protection — mark sensitive screens as secure so they cannot be recorded or snapshotted.
  • Runtime application self-protection (RASP) and integrity checks — detect rooting, hooking frameworks, emulators, debuggers, repackaging, and instrumentation, then degrade gracefully or stop.
  • Device attestation and compromise signals — continuously assess device integrity and feed those signals into authentication and transaction decisions.
  • OTP-independent, out-of-band confirmation for high-risk transactions, so a single compromised channel (SMS) cannot authorize a transfer.
  • Customer-side hygiene reinforcement — install only from official stores; never grant Accessibility to apps that are not assistive tools; treat any “make me your default SMS / call app” request as a red flag.

That list is the right starting point. But here is the question every security leader hits next: how do you know these controls actually work against a real attacker — and not merely that they are present in the build?

Why MPoC-based penetration testing is the proof point

The payments world has already solved a version of this problem worth borrowing. The PCI Mobile Payments on COTS (MPoC) standard governs how a consumer smartphone can be turned into a secure payment terminal (SoftPOS) — and its founding assumption is exactly the one Rokarolla validates: the commercial off-the-shelf device is untrusted, and the software must protect sensitive data even when an attacker has full control of the phone.

Because of that assumption, MPoC does not accept a checklist. It mandates independent penetration testing by an accredited MPoC security lab — testing that simulates real attacker tradecraft against the running solution. An MPoC-grade pen-test is built to attack precisely the techniques Rokarolla uses:

  • Can an overlay be painted over the payment, login, or PIN screen?
  • Can Accessibility services or a hooking framework read or manipulate sensitive input?
  • Can the app be repackaged, instrumented, or debugged to extract keys or data?
  • Does the device-attestation and monitoring layer actually detect a compromised device and refuse to operate — or step up authentication?

Crucially, the test produces a graded result — accounting for how much attacker skill and time a successful attack would require — rather than a binary pass/fail tick. That is the difference between assuming your controls hold and knowing how much resistance they offer. For a CISO, an MPoC-style penetration test against a Rokarolla-class threat model is the most direct way to answer the board’s real question: “If our customer’s phone is infected, is our app — and is our customer — still safe?”

Why this matters even more if you are building your own MPoC application

Many banks and fintechs are now building their own SoftPOS / MPoC apps to own the payment experience end-to-end. That ambition carries the full weight of the standard’s security model. Unlike a dedicated payment terminal, a SoftPOS app cannot lean on hardware-backed security — every protection is software, running on the same hostile Android that Rokarolla thrives on.

The standard’s response is uncompromising: layered software protections, an attestation-and-monitoring backend that can enrol or disable a device the moment it detects compromise, a secure software lifecycle, and independent lab validation — including penetration testing — before and throughout deployment. In other words, if you build your own MPoC application, independent pen-testing is not a compliance formality you bolt on at the end. It is the mechanism by which you, your acquirer, the card schemes, and ultimately your customers can trust that the app holds the line on a phone you do not control.

And the benefit travels well beyond payments. The same lab discipline that validates a SoftPOS app — adversarial testing against overlays, Accessibility abuse, hooking, repackaging, and key extraction — is exactly what every high-value mobile banking and wallet app now needs. Rokarolla does not care whether your app processes a card payment or a balance transfer. It cares only that it runs on a phone.

The takeaway

Rokarolla is a clear signal of where mobile threat actors are heading: away from stealing one credential, toward owning the whole device and defeating every control layered on top of it. Banks and fintechs cannot patch their way out of a hostile environment — but they can prove their apps are built to survive it. The fastest, most credible way to do that is to test the app the way a real attacker would: against the MPoC threat model, in an accredited lab.

If your mobile banking or SoftPOS app has never been put through a Rokarolla-grade adversarial test, you do not yet know whether it protects your customer when it matters most — when their phone is already compromised.

Put your mobile app through the Rokarolla test.

SISA’s MPoC certification lab runs MPoC-based penetration testing and SoftPOS security assessments that put mobile banking and payment apps through real-world, hostile-device attack scenarios — overlays, Accessibility abuse, hooking, repackaging, and key extraction — and validate your attestation and monitoring controls. Whether you are certifying a SoftPOS solution or hardening a consumer banking app, our Lab & Testing Services team will show you exactly where your controls hold and where they don’t. Talk to our team

References & further reading

• Zimperium zLabs, “Rokarolla: Android Banker with Complete Device Takeover Capabilities” (Jun 16, 2026).

• Zimperium IoC repository — github.com/Zimperium/IOC/2026-06-Rokarolla (APK hashes, target-app list, command set).

• PCI Security Standards Council — Mobile Payments on COTS (MPoC) standard and program documentation.

SHARE THIS POST

Compliance