Security researchers have uncovered two distinct Android malware strains, BankBot-YNRK and DeliveryRAT, both engineered to pilfer sensitive financial data from compromised devices. The discoveries highlight ongoing sophistication in mobile threat actor tactics, techniques, and procedures.
BankBot-YNRK Analysis
BankBot-YNRK employs a multi-layered approach to evade detection and maximize data exfiltration. The malware includes checks to identify if it is running in a virtualized or emulated environment and analyzes device-specific details, such as manufacturer and model, to determine if it’s operating on a genuine target device. It has also been observed to specifically check for devices manufactured by Oppo or running ColorOS. The malware attempts to impersonate a legitimate Indonesian government application, “Identitas Kependudukan Digital,” with package names such as com.westpacb4a.payqingynrk1b4a. Upon installation, BankBot-YNRK manipulates audio stream volumes to zero, muting alerts for calls and messages, and communicates with a command-and-control server located at “ping.ynrkone[.]top”.
To achieve elevated privileges, BankBot-YNRK prompts users to enable accessibility services. This functionality is effective on Android versions 13 and below; however, security enhancements introduced in Android 14 restrict the abuse of accessibility services for automatic permission granting. BankBot-YNRK utilizes Android’s JobScheduler for persistence, can acquire device administrator privileges, and is capable of harvesting contacts, SMS messages, location data, lists of installed applications, and clipboard content. The malware can also impersonate Google News, capture screen content to reconstruct application interfaces for credential theft, and exploit accessibility services to interact with cryptocurrency wallet applications, thereby stealing sensitive data and initiating unauthorized transactions. Researchers have identified a target list of 62 financial applications.
DeliveryRAT Distribution and Capabilities
Concurrently, an updated strain known as DeliveryRAT is being distributed through a Malware-as-a-Service (MaaS) model, facilitated via a Telegram bot identified as Bonvi Team. This threat specifically targets Russian Android users, masquerading as applications for food delivery services, marketplaces, banking, and parcel tracking. Threat actors lure victims through messaging applications, encouraging them to download the malicious app. DeliveryRAT requests extensive permissions, including access to notifications and battery optimization settings, to operate discreetly in the background. Enhanced capabilities include access to SMS messages and call logs, and the ability to conceal its icon from the device’s home screen. Some variants of DeliveryRAT are also equipped to launch distributed denial-of-service (DDoS) attacks.
Broader Android Security Concerns
These findings emerge alongside a report from Zimperium, which identified over 760 Android applications misusing near-field communication (NFC) technology since April 2024. These applications, primarily impersonating Russian banks and financial services but also targeting institutions in Brazil, Poland, the Czech Republic, and Slovakia, trick users into setting them as default payment methods. By exploiting Android’s Host Card Emulation, these apps illicitly obtain contactless credit card and payment data for fraudulent transactions. The stolen data is then transmitted to threat actors via Telegram channels or dedicated applications.