Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it’s being executed on a real device.
BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that’s used on devices made by the Chinese original equipment manufacturer (OEM).
“The malware also includes logic to identify specific devices,” CYFIRMA said. “It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models.”
The names of the APK packages distributing the malware are listed below. All three apps go by the name “IdentitasKependudukanDigital.apk,” which likely appears to be an attempt to impersonate a legitimate Indonesian government app called “Identitas Kependudukan Digital.”
- com.westpacb4a.payqingynrk1b4a
- com.westpacf78.payqingynrk1f78
- com.westpac91a.payqingynrk191a
Once installed, the malicious apps are designed to harvest device information and set the volume of various audio streams, such as music, ringtone, and notifications, to zero to prevent the affected victim from being alerted to incoming calls, messages, and other in-app notifications.
It also establishes communication with a remote server (“ping.ynrkone[.]top”), and upon receiving the “OPEN_ACCESSIBILITY” command, it urges the user to enable accessibility services so as to realize its goals, including gaining elevated privileges and performing malicious actions.
The malware, however, is capable of targeting only Android devices running versions 13 and below, as Android 14, launched in late 2023, introduced a new security feature that prevents the use of accessibility services to automatically request or grant app additional permissions.
“Until Android 13, apps could bypass permission requests through accessibility features; however, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface,” CYFIRMA said.
BankBot-YNRK leverages Android’s JobScheduler service to establish persistence on the device and ensure it’s launched after a reboot. It also supports a wide range of commands to gain device administrator privileges, manage apps, interact with the device, redirect incoming calls using MMI codes, take photos, perform file operations, and harvest contacts, SMS messages, locations, lists of installed apps, and clipboard content.
Some of the other features of the malware are as follows –
- Impersonating Google News by programmatically replacing the apps’s name and icons, as well as launching “news.google[.]com” via a WebView
- Capture screen content to reconstruct a “skeleton UI” of application screens such as banking apps to facilitate credential theft
- Abusing accessibility services to open cryptocurrency wallet apps from a predefined list and automating UI actions to gather sensitive data and initiate unauthorized transactions
- Retrieving a list of 62 financial apps to target
- Displaying an overlay message claiming their personal information is being verified, while the malicious actions are carried out, including requesting itself extra permissions and adding itself as a device administrator app
“BankBot-YNRK exhibits a comprehensive feature set aimed at maintaining long-term access, stealing financial data, and executing fraudulent transactions on compromised Android devices,” CYFIRMA said.
The disclosure comes as F6 revealed that threat actors are distributing an updated version of DeliveryRAT targeting Russian Android device owners under the guise of food delivery services, marketplaces, banking services, as well as parcel tracking applications. The mobile threat is assessed to be active since mid-2024.
According to the Russian cybersecurity company, the malware is advertised under a malware-as-a-service (MaaS) model through a Telegram bot named Bonvi Team, allowing users to either get access to an APK file or links to phishing pages distributing the malware.
Victims are then approached on messaging apps like Telegram, where they are asked to download the malicious app as part of tracking orders from fake marketplaces or for a remote employment opportunity. Regardless of the method used, the app requests access to notifications and battery optimization settings so that it can gather sensitive data and run in the background without being terminated.
Furthermore, the rogue apps come with capabilities to access SMS messages and call logs, and hide their own icons from the home screen launcher, thereby making it difficult for a less tech-savvy user to remove it from the device.
Some iterations of the DeliveryRAT are also equipped to conduct distributed denial-of-service (DDoS) attacks by making simultaneous requests to the URL link transmitted from the external server and launching activities to capture by making simultaneous requests to the URL link transmitted or by tricking the user into scanning a QR code.
The discovery of the two Android malware families coincides with a report from Zimperium, which discovered more than 760 Android apps since April 2024 that misuse near-field communication (NFC) to illegally obtain payment data and send it to a remote attacker.
These fake apps, masquerading as financial applications, prompt users to set them as their default payment method, while taking advantage of Android’s host-based card emulation (HCE) to steal contactless credit card and payment data.
The information is relayed either to a Telegram channel or a dedicated tapper app operated by the threat actors. The stolen NFC data is then used to withdraw funds from a user’s accounts or make purchases at point-of-sale (PoS) terminals almost instantly.
“Approximately 20 institutions have been impersonated – primarily Russian banks and financial services, but also target organizations in Brazil, Poland, the Czech Republic, and Slovakia,” the mobile security company said.
