Rokarolla is terrifying now

Okay, I need to sit down for this one. The Rokarolla update is genuinely terrifying, not because of what it steals, but because of what it becomes. A full remote desktop tool baked into a banking trojan? That's not just malware anymore, that's a digital possession. The detail that got me is the persistence mechanism. It's not just asking for Accessibility permissions anymore; it's actively hijacking the user's interaction with the lock screen. That's a level of system-level fuckery that usually requires a nation-state actor. Watching how they chain the overlay attacks with real-time screen recording is like watching a masterclass in dark UX design. They're not just stealing passwords, they're stealing context. I spent my weekend trying to trace the C2 infrastructure for a similar sample. The encryption is messy, but the command-and-control heartbeat is terrifyingly clean. It's a constant, low-and-slow data exfiltration that looks like normal app telemetry. How do we even begin to detect that when it's dressed up as a legitimate TikTok update? This is the new baseline. The line between "banking trojan" and "complete device takeover" just vanished. What's your threat model going to look like next week?