Recent analyses by cybersecurity firms have uncovered two distinct Android malware families, BankBot-YNRK and DeliveryRAT, both designed to exfiltrate sensitive financial and personal data from compromised mobile devices. These malware variants demonstrate increasing sophistication in avoiding detection, maintaining persistence, and exploiting legitimate Android features for malicious purposes.
BankBot-YNRK Overview
The BankBot-YNRK malware family was analyzed by CYFIRMA, which examined three related samples. Each variant impersonates a legitimate Indonesian government application named Identitas Kependudukan Digital to deceive users into installation.
Associated APK package names:
- com.westpacb4a.payqingynrk1b4a
- com.westpacf78.payqingynrk1f78
- com.westpac91a.payqingynrk191a
Evasion and Targeting Mechanisms
BankBot-YNRK incorporates several anti-analysis techniques, including:
- Verification of execution within a real device by checking manufacturer and model identifiers.
- Avoidance of emulated or virtualized environments commonly used by malware analysts.
- Identification of specific device brands such as Oppo, Google Pixel, and Samsung, enabling device-specific functions.
These measures allow the malware to selectively execute on supported devices, reducing exposure and improving attack precision.
Persistence and Privilege Escalation
Once deployed, BankBot-YNRK communicates with a remote command-and-control (C2) server (ping.ynrkone[.]top) and uses Android’s JobScheduler service to maintain persistence following device restarts.
The malware also prompts the user to enable Accessibility Services, granting itself elevated privileges to perform a wide range of unauthorized operations.
Functional Capabilities
BankBot-YNRK supports numerous malicious operations, including:
- Harvesting contacts, SMS messages, location data, clipboard content, and lists of installed applications.
- Capturing screen content to reconstruct banking or financial app interfaces, enabling credential theft.
- Redirecting incoming calls using MMI codes.
- Impersonating legitimate applications such as Google News by modifying its icon and interface.
- Executing overlay attacks that display false verification messages while silently requesting permissions and device administrator privileges.
- Targeting a predefined list of 62 financial applications and several cryptocurrency wallets.
Android Version Impact
The malware primarily affects Android versions 13 and below. Beginning with Android 14, Google has implemented stricter permission controls that prevent accessibility services from automatically granting app privileges, effectively mitigating this attack vector.
DeliveryRAT Overview
The DeliveryRAT malware, analyzed by F6, is distributed under the guise of legitimate applications such as food delivery, banking, parcel tracking, and marketplace platforms. The campaign primarily targets Android users in Russia and has been active since mid-2024.
The distribution follows a Malware-as-a-Service (MaaS) model, managed through a Telegram bot referred to as “Bonvi Team.” Threat actors can purchase either APK packages or phishing links distributing the trojan.
Infection Vectors
Victims are typically lured through:
- Fraudulent messages on Telegram or other social media platforms.
- Fake online job postings or marketplace listings.
- Links claiming to provide order tracking or delivery updates.
Once installed, the malware requests access to notifications and battery optimization settings to ensure continuous background operation.
Malicious Behavior
DeliveryRAT is capable of:
- Accessing and exfiltrating SMS messages and call logs.
- Hiding its application icon to evade detection by the user.
- Executing distributed denial-of-service (DDoS) attacks by sending coordinated HTTP requests to attacker-controlled domains.
- Initiating malicious activities through QR code manipulation.
- Maintaining background persistence even when the screen is off or the app is not actively used.
Additional Findings: NFC-Based Financial Data Theft
A related investigation by Zimperium revealed over 760 Android applications misusing Near-Field Communication (NFC) features to illicitly obtain payment card data.
These applications impersonate financial institutions, prompt users to set them as the default payment method, and exploit Host-Based Card Emulation (HCE) to capture contactless payment data.
The stolen data is transmitted to attacker-controlled servers or messaging channels for fraudulent financial transactions.
Impersonated targets include approximately 20 banking and financial institutions across Russia, Brazil, Poland, the Czech Republic, and Slovakia.
Mitigation Recommendations
To reduce exposure to mobile malware threats such as BankBot-YNRK and DeliveryRAT, users and organizations should adopt the following measures:
- Restrict installation of applications from third-party or unknown sources.
- Review app permissions regularly, particularly accessibility and device administrator privileges.
- Deploy mobile threat defense (MTD) or enterprise mobile security solutions.
- Update Android devices to the latest version (preferably Android 14 or above).
- Conduct security awareness training for users on phishing and malicious application risks.
- Monitor network traffic for connections to known C2 infrastructure such as
ynrkone[.]top.
Conclusion
The emergence of BankBot-YNRK and DeliveryRAT underscores the continued evolution of Android-based financial malware. Both families exhibit advanced evasion, persistence, and credential theft capabilities, posing a significant risk to individuals and financial institutions alike.
As mobile platforms become increasingly central to personal and enterprise financial operations, proactive security measures, policy enforcement, and user education remain critical components of defense.