A new and highly sophisticated strain of Android malware, identified as “BankBot YNRK,” has been uncovered by cybersecurity researchers at Cyfirma. This variant distinguishes itself from typical mobile trojans through its ability to perform advanced device profiling and automated interaction, effectively turning compromised phones into silent tools for financial theft. The malware is currently distributed through malicious applications that mimic legitimate utility tools, including fake digital ID scanners and a counterfeit version of Google News that loads the actual news.google.com website to allay user suspicion.
Once installed, BankBot YNRK initiates a “silent phase” designed to evade detection and secure long-term persistence. It immediately mutes the device’s audio streams—notification, ringtone, and media volumes are set to zero—ensuring that the victim remains unaware of incoming alerts related to unauthorized transactions.
Simultaneously, it profiles the host environment, checking for emulator indicators (such as specific battery levels or build fingerprints) to determine if it is being analyzed by security researchers. If the device passes this check, the malware abuses Android’s Accessibility Services, a feature intended to assist users with disabilities, to grant itself administrative privileges. This critical step allows the bot to read screen content, navigate menus, and simulate touch inputs without any physical interaction from the victim.
The malware’s primary objective is the theft of banking credentials and cryptocurrency assets. It communicates with a command-and-control (C2) server to fetch a target list of 62 financial applications, specifically focusing on major banking institutions in Vietnam, Malaysia, Indonesia, and India, as well as global cryptocurrency wallets like MetaMask and Exodus. Unique to this variant is its ability to scrape User Interface (UI) metadata—such as text, button positions, and view IDs—to reconstruct a “skeleton” of the targeted banking app.
This allows the attackers to automate complex login and transfer sequences in the background while the victim’s screen appears inactive. By establishing itself as a Device Administrator and scheduling recurring background jobs, BankBot YNRK ensures it automatically relaunches even after a system reboot, making removal exceptionally difficult for the average user.
