Full Report
Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices. According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment
Analysis Summary
# Tool/Technique: BankBot-YNRK
## Overview
BankBot-YNRK is an Android trojan primarily focused on harvesting sensitive data, especially financial information, from compromised mobile devices. It employs sophisticated evasion techniques and targets numerous financial applications.
## Technical Details
- Type: Malware family
- Platform: Android (Versions 13 and below are fully exploitable due to changes in Android 14 regarding Accessibility Services)
- Capabilities: Financial data theft, device information harvesting, accessibility service abuse, overlay attacks.
- First Seen: Not explicitly stated, but analysis was reported by CYFIRMA in November 2025.
## MITRE ATT&CK Mapping
* **TA0001 - Initial Access**
* T1430.002 - Valid Accounts: Compromise via malicious app installation (implied by impersonation/distribution).
* **TA0005 - Defense Evasion**
* T1027.004 - Obfuscated Files or Information: Checking for virtualization/emulation environments.
* **TA0008 - Lateral Movement** (Not explicitly detailed, but implies establishing foothold)
* **TA0009 - Collection**
* T1432 - Input Capture: Reconstructing UI via screen capture to steal credentials.
* T1431 - Data from Local System: Harvesting contacts, SMS messages, device details, and clipboard content.
* **TA0011 - Command and Control**
* T1477 - Data Exfiltration to C2 (Implied by communicating with remote server).
* **TA0016 - Privilege Escalation**
* T1486 - Accessibility Features: Abusing Accessibility Services to gain elevated privileges.
## Functionality
### Core Capabilities
- **Data Harvesting:** Collecting device manufacturer/model, contacts, SMS messages, location data, installed app lists, and clipboard content.
- **Evasion:** Checking for virtualization/emulation environments and specific device types (e.g., Google Pixel, Samsung, Oppo, or devices running ColorOS) to customize or stop execution.
- **Notification Suppression:** Setting audio stream volumes (music, ringtone, notification) to zero to conceal malicious activity or incoming alerts.
- **Persistence:** Utilizing Android's JobScheduler service to ensure relaunching after a reboot.
### Advanced Features
- **Accessibility Abuse:** Command-driven activation of accessibility services to bypass permission restrictions (effective up to Android 13), enabling unauthorized actions.
- **Financial Fraud Automation:** Abusing accessibility services to open known cryptocurrency wallet apps and automating UI interactions to initiate unauthorized transactions.
- **Overlay Attacks:** Displaying an overlay message falsely claiming "personal information verification" while executing malicious procedures (granting permissions, setting device admin).
- **UI Reconstruction:** Capturing screen content to build a "skeleton UI" profile of banking apps for credential theft reconstruction.
- **Targeted Functionality:** Device-specific logic to apply certain functions only on recognized or supported device models.
- **App Spoofing:** Impersonating Google News by changing the application name/icon and launching `news.google[.]com` in a WebView.
## Indicators of Compromise
- File Hashes: Analysis conducted on three samples (Hashes not provided in context).
- File Names: `IdentitasKependudukanDigital.apk` (Impersonating an Indonesian government app).
- Package IDs:
- `com.westpacb4a.payqingynrk1b4a`
- `com.westpacf78.payqingynrk1f78`
- `com.westpac91a.payqingynrk191a`
- Network Indicators: `ping.ynrkone[.]top`
- Behavioral Indicators:
- Establishing communication with C2 upon installation.
- Receiving and executing the `OPEN_ACCESSIBILITY` command.
- Attempting to set device administrator privileges.
- Modifying volume settings for audio streams.
## Associated Threat Actors
- Not explicitly named in the provided context, but associated with the BankBot malware family lineage.
## Detection Methods
- Signature-based detection: Based on package names or file hashes (samples analyzed by CYFIRMA).
- Behavioral detection: Monitoring for attempts to utilize or enable Accessibility Services, volume manipulation, JobScheduler persistence setup, and network communication to the C2 domain.
## Mitigation Strategies
- **OS Updates:** Ensure devices are running the latest stable Android versions, particularly upgrading beyond Android 13, as Android 14 mitigates automated permission granting via Accessibility Services.
- **Application Vetting:** Exercise extreme caution when installing applications, especially those impersonating legitimate government or banking apps (e.g., `IdentitasKependudukanDigital.apk`).
- **Proactive Security:** Educate users on the dangers of enabling Accessibility Services upon untrusted prompts.
- **Device Management:** Restrict the ability of non-approved applications to be set as Device Administrators.
## Related Tools/Techniques
- DeliveryRAT (Mentioned in context as another trojan analyzed alongside BankBot-YNRK).
- Other members of the BankBot malware family.
- General Android banking trojans utilizing Accessibility Service abuse.
# Tool/Technique: DeliveryRAT
## Overview
DeliveryRAT is an Android trojan, mentioned concurrently with BankBot-YNRK, capable of harvesting sensitive data from compromised devices.
## Technical Details
- Type: Malware family
- Platform: Android
- Capabilities: Sensitive data harvesting (Specific capabilities not detailed beyond harvesting).
- First Seen: Not explicitly stated.
## MITRE ATT&CK Mapping
* **TA0009 - Collection**
* T1431 - Data from Local System (Implied by "harvesting sensitive data").
## Functionality
### Core Capabilities
- Harvesting sensitive data from compromised devices.
### Advanced Features
- (No advanced features detailed in the provided context.)
## Indicators of Compromise
- (None provided in the context.)
## Associated Threat Actors
- (Not named in the context.)
## Detection Methods
- (Not specified in the context.)
## Mitigation Strategies
- (General Android security practices apply.)
## Related Tools/Techniques
- BankBot-YNRK (Analyzed simultaneously).