Rokarolla deploys 137 remote commands and HTML overlays to drain 217 banking and crypto apps via Accessibility abuse

Zimperium zLabs documented the family through samples that fetch target lists from C2 servers named after the Rokarolla domain set. The dropper requests Accessibility Service access, then disables Play Protect while storing HTML overlays locally for immediate use against active banking sessions. This matches the 2025-2026 pattern seen in HOOK and Klopatra families where Accessibility replaces riskier screen-casting methods.

Procurement records and GitHub IOC releases show operators rotate fallback domains faster than takedown cycles allow. The 137 commands exceed HOOK's 107, adding lock-screen overlays and silent screenshot exfiltration that avoid MediaProjection prompts. No independent technical attribution ties the build to a named group; Zimperium explicitly declined to link it to prior campaigns.

The operational shift toward fake-app distribution via malicious websites rather than sideloading stores indicates maturing supply chains for Android credential theft. Banks relying on SMS 2FA and users who grant Accessibility for utilities face direct fund redirection without visible alerts. Standard Play Store-only installs remain the only scalable control.

Next indicators to monitor include new C2 domains matching the Rokarolla naming convention and reports of clipboard swaps hitting major wallet apps within 90 days.