A new Android banking trojan named Rocinante targets mobile users in Brazil, exploiting accessibility service for keylogging and phishing screens to steal personal information and perform device takeover. The malware masquerades as popular apps like Bradesco Prime and Correios Celular, with distribution through phishing sites. It exfiltrates data to a Telegram bot and is influenced by earlier malware strains like ERMAC, while a similar campaign exploits the secureserver[.]net domain to target Spanish and Portuguese-speaking regions.