Cybersecurity researchers have highlighted two different Android Trojans called bankbot-ynrk And DeliveryRate Which are capable of collecting sensitive data from compromised devices.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to circumvent analysis attempts, first examining its running in a virtualized or emulated environment, and then extracting device details such as manufacturer and model name to detect whether it is executing on a real device.
BankBot-YNRK also checks whether the device is manufactured by Oppo, or running on ColorOS, a version of the Android operating system used on devices made by Chinese original equipment manufacturers (OEMs).
“The malware also includes logic to identify specific devices,” CYFIRMA said. “It verifies whether the device is a Google Pixel or a Samsung device and checks whether its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or customization only to the targeted device while avoiding execution on unrecognized models.”
The names of the APK packages that distribute the malware are listed below. All three apps run under the name “IdentitasKependudukanDigital.apk”, which appears to be an attempt to impersonate a legitimate Indonesian government app called “Identitas Kependudukan Digital.”
- com.westpacb4a.payqingynrk1b4a
- com.westpacf78.payqingynrk1f78
- com.westpac91a.payqingynrk191a
Once installed, malicious apps are designed to collect device information and set the volume of various audio streams such as music, ringtones and notifications to zero to prevent the affected victim from being alerted to incoming calls, messages and other in-app notifications.
It also establishes communication with a remote server (“ping.ynrkone.”)[.]top”), and upon receiving the “OPEN_ACCESSIBILITY” command, it urges the user to enable accessibility services in order to achieve its goals, including gaining elevated privileges and performing malicious actions.
However, the malware is only able to target Android devices running versions 13 and below, as Android 14, launched in late 2023, introduced a new security feature that prevents the use of accessibility services to automatically request or grant additional permissions to apps.
CYFIRMA said, “Until Android 13, apps could bypass permission requests through accessibility features; however, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface.”
BankBot-YNRK takes advantage of Android’s Job Scheduler service to establish persistence on the device and ensure it launches after a reboot. It also supports a wide range of commands to gain device administrator privileges, manage apps, interact with the device, redirect incoming calls using MMI codes, take photos, perform file operations, and collect contacts, SMS messages, locations, lists of installed apps, and clipboard contents.
Some other features of the malware are as follows –
- Impersonating Google News by programmatically replacing the apps’ names and icons, as well as launching “news.google”[.]com” via webview
- Capture screen content to recreate the “skeleton UI” of application screens such as banking apps to facilitate credential theft
- Abusing accessibility services to open cryptocurrency wallet apps from a predefined list and automating UI actions to collect sensitive data and initiate unauthorized transactions
- List of 62 financial apps to target is being retrieved
- Displaying an overlay message claiming that their personal information is being verified while malicious actions are performed, including requesting additional permissions and adding themselves as a device administrator app
“BankBot-YNRK exhibits a comprehensive feature set aimed at maintaining long-term access, stealing financial data, and executing fraudulent transactions on compromised Android devices,” CYFIRMA said.
The disclosure comes as F6 revealed that threat actors under the guise of food delivery services, marketplaces, banking services, as well as parcel tracking applications are distributing an updated version of DeliveryRAT targeting Russian Android device owners. The mobile threat is projected to become active from mid-2024.
According to the Russian cybersecurity company, the malware is advertised under a Malware-as-a-Service (MaaS) model through a Telegram bot called Bonvi Team, providing users with access to either an APK file or links to phishing pages that distribute the malware.
The victims are then contacted over messaging apps like Telegram, where they are asked to track orders from fake markets or download the malicious app in the form of a remote employment opportunity. Regardless of the method used, the app requests access to notifications and battery optimization settings so that it can collect sensitive data and run in the background without terminating.
Furthermore, rogue apps come with the ability to access SMS messages and call logs, and hide their own icons from the home screen launcher, making it difficult for a less tech-savvy user to remove it from the device.
Some iterations of DeliveryRAT are also equipped to conduct distributed denial-of-service (DDoS) attacks by launching simultaneous requests for URL links transmitted from external servers or launching capture activities by prompting the user to scan a QR code.
The discovery of the two Android malware families matches a report by Zimperium, which discovered more than 760 Android apps from April 2024 that misuse near-field communication (NFC) to illegally obtain payment data and send it to a remote attacker.
These fake apps, masquerading as financial applications, trick users into setting them as their default payment method, taking advantage of Android’s host-based card emulation (HCE) to steal contactless credit card and payment data.
The information is disseminated either on Telegram channels or on a dedicated tampering app operated by threat actors. The stolen NFC data is used to withdraw funds from user accounts or make purchases almost instantly at point-of-sale (POS) terminals.
“About 20 institutions have been impersonated – primarily Russian banks and financial services, but organizations in Brazil, Poland, the Czech Republic and Slovakia have also been targeted,” the mobile security company said.
