Two distinct Android trojans, BankBot-YNRK and DeliveryRAT, have been identified by cybersecurity researchers as actively exfiltrating sensitive financial data from compromised mobile devices. This development signals a continued evolution in mobile malware tactics, specifically targeting banking and cryptocurrency assets.
These findings highlight ongoing threats to Android users. BankBot-YNRK demonstrates sophisticated anti-analysis and persistence capabilities, while DeliveryRAT leverages a malware-as-a-service model. The emergence of these threats coincides with a broader trend of mobile malware misusing near-field communication (NFC) for payment data theft, underscoring the dynamic landscape of mobile financial fraud.
BankBot-YNRK: Evasion and Financial Theft
CYFIRMA’s analysis reveals that BankBot-YNRK is a banking trojan designed to evade detection through environmental checks. It identifies virtualized or emulated environments and specific device models, including those from Oppo, Google Pixel, and Samsung. The malware often disguises itself as the legitimate Indonesian government application “Identitas Kependudukan Digital.apk” to deceive users. Upon installation, it silently mutes audio streams, such as music, ringtone, and notifications, to prevent victims from being alerted to its activities.
BankBot-YNRK leverages Android’s Accessibility services, particularly on devices running Android 13 and earlier versions, to gain elevated privileges and execute malicious actions without direct user interaction. Android 14, released in late 2023, introduced security enhancements that restrict apps from using accessibility services to automatically request or grant additional permissions, as noted by The Hacker News. The trojan ensures persistence by utilizing Android’s JobScheduler service and attempts to secure device administrator privileges, making uninstallation difficult. Communication with its command-and-control (C2) server, identified as “ping.ynrkone[.]top,” is established over port 8181 to exfiltrate device details and receive commands.
The malware’s capabilities extend to impersonating Google News by programmatically altering its name and icon and loading legitimate news content within a WebView, as detailed in CYFIRMA’s report. It captures screen content and UI metadata to reconstruct “skeleton UIs” of banking applications, facilitating credential theft. Furthermore, BankBot-YNRK abuses accessibility services to interact with and steal from cryptocurrency wallet applications such as Exodus, MetaMask, Trust Wallet, and Coinomi. It targets a list of 62 financial applications, primarily in Southeast Asia and India, including major banking services.
DeliveryRAT: MaaS Model and Russian Targets
Separately, F6 researchers have uncovered an updated version of DeliveryRAT, which targets Russian Android users. This trojan is distributed under the guise of food delivery services, online marketplaces, banking applications, and parcel tracking apps. DeliveryRAT operates under a malware-as-a-service (MaaS) model, with threat actors advertising it through a Telegram bot called Bonvi Team. The malware gains access to SMS messages and call logs and can hide its icon from the home screen, making detection and removal challenging for users. Some iterations of DeliveryRAT are also equipped to launch distributed denial-of-service (DDoS) attacks. For more information on similar threats, you can read our article on Hezi Rash and DDoS attacks.
NFC Exploitation in Android Malware
In a related development, Zimperium identified over 760 Android applications since April 2024 that misuse NFC to illegally obtain payment data. These fake applications prompt users to set them as default payment methods, exploiting Android’s host-based card emulation (HCE) to steal contactless credit card information. The stolen NFC data is then relayed to threat actors to withdraw funds or make purchases at point-of-sale terminals via a dedicated tapper app or Telegram channel. Approximately 20 institutions, primarily in Russia but also in Brazil, Poland, the Czech Republic, and Slovakia, have been impersonated. Users should remain vigilant against unknown apps and review US Agencies Propose Ban on TP-Link Networking Devices to further understand security concerns in networking devices.
The sophisticated nature of Android trojans, encompassing evasion tactics, persistence mechanisms, and targeted theft of financial and cryptocurrency data, underscores the significant and evolving threat to mobile users. Ongoing vigilance and robust cybersecurity defenses are crucial to mitigating these risks.