In short: In the first half of 2026, the number of infected Android phones in Russia rose about 70% year over year — roughly 1.5 million devices. The main threat is banking trojans that steal money and one-time SMS codes, and new families such as Rokarolla, aimed at 217 banking and crypto apps, keep raising the stakes. Antivirus and caution matter most, but a VPN reduces risk at the very stage where infection often begins — on fake sites and untrusted networks.
What happened
On 30 June 2026, the Russian business daily Kommersant reported — citing data from MegaFon, the firms F6 and AppSec Solutions, and Kaspersky — that the number of detected mobile-device infections in Russia grew 70% year over year in the first half of 2026. That is about 1.5% of all Android phones in the country, roughly 1.5 million devices.
The leading threat is the Mamont banking trojan: its share rose from 10–12% a year earlier to 15%. The number of command-and-control servers the attackers use to steer infected phones jumped from dozens in the first half of 2025 to 200 by March 2026. Cumulative losses from mobile fraud across 2025–2026 are estimated at more than 600 billion rubles. We break down how surveillance and data theft work through a phone in our guide on protecting your phone from tracking.
A new trojan, Rokarolla, raises the bar
A fresh example of this wave is Rokarolla, disclosed on 16 June 2026 by the mobile-security firm Zimperium and confirmed by BleepingComputer and the Russian-language Anti-Malware.ru. It targets at least 217 banking and cryptocurrency apps and takes near-total control of a device, with an arsenal of no fewer than 137 remote commands.
Rokarolla follows a classic but effective playbook. When you open your banking app, a fake login page pops up on top of it — and everything you type (username, password, card number) goes straight to the attackers. The trojan intercepts one-time SMS codes, runs a keylogger, takes screenshots, manipulates the clipboard and hides its activity behind deceptive overlays. To do all this, it abuses Android's Accessibility services.
How trojans get onto a phone
Neither Mamont nor Rokarolla can infect a phone on its own — the user installs it. They spread through fake websites impersonating popular apps: Google Chrome, TikTok, banking programs, updates. During installation, Rokarolla poses as "Google Play Protect" to lower your guard, then asks for Accessibility access — and that one permission hands it full reach over your screen and input.
The key red flag is sideloading APK files from unofficial sources and any app asking for Accessibility rights it has no real reason to need. A PDF reader or a "battery booster" that demands control of your screen and access to all notifications is almost certainly a trap.
What it means for your data and money
For an ordinary user the risk is very concrete: direct theft of money from cards and accounts, account takeover and access to private messages. Modern banking trojans do not break encryption — they trick the person and intercept what they type themselves. So protection starts with habits, not technology. For safe day-to-day banking, see our piece on secure online banking.
How to protect your phone and money
Install apps only from official stores. Google Play and the App Store are not a 100% guarantee, but they cut the risk sharply. Never install an APK from links in messengers, SMS or ads. Where to get apps safely is covered in our guide on downloading a VPN safely.
Do not hand out Accessibility rights. If an app asks for Accessibility access with no clear reason, refuse. That is the main lever banking trojans rely on.
Harden your accounts. Two-factor authentication, card limits and transaction alerts help you spot theft before the money is gone.
Keep the system and Play Protect updated. Fresh patches and an enabled Play Protect catch known versions of these threats.
Protect the network layer. To be clear: a VPN will not remove a trojan already installed on your phone — that is the job of antivirus and caution. But a VPN like LiMP VPN encrypts your traffic on untrusted networks and hides your real IP, reducing tracking and the risk of interception on fake sites and open Wi-Fi — the very places where infection often begins. See how it works on our features page.
Sources
This report is based on coverage by Kommersant, research reported by BleepingComputer and the Russian-language Anti-Malware.ru from June–July 2026.
