Cybersecurity researchers have identified two advanced Android malware strains that target users’ financial data, cryptocurrency wallets, and personal information. The threats, named BankBot-YNRK and DeliveryRAT, are spreading through malicious APK files and fake apps that impersonate legitimate services, including an Indonesian government identity app. These discoveries highlight the continued rise in malware targeting Android devices in 2025, as cybercriminals refine mobile infection methods for financial theft and fraud.
Table of Contents
- What Happened
- BankBot-YNRK Analysis
- DeliveryRAT Campaign
- Broader Android Threat Landscape
- Indicators of Compromise (IOCs)
- How to Stay Protected
What Happened
According to cybersecurity firm CYFIRMA, the newly analyzed BankBot-YNRK Android trojan has been discovered in three malicious APK samples named IdentitasKependudukanDigital.apk. The fake apps imitate the legitimate Indonesian government app Identitas Kependudukan Digital, which is used for digital identity verification and citizen registration.
Each sample of BankBot-YNRK exhibits anti-analysis, device profiling, and persistence capabilities designed to keep it hidden on the victim’s phone while maintaining remote access. Once installed, the malware disables system sounds and notifications to prevent the victim from noticing suspicious behavior. It then communicates with its command-and-control (C2) server at ping.ynrkone[.]top and begins collecting sensitive data such as contacts, messages, device identifiers, and financial app credentials.
BankBot-YNRK Analysis
CYFIRMA’s investigation found that BankBot-YNRK is one of the most sophisticated Android banking trojans observed this year. It uses a series of checks to detect if it is running inside an emulator or virtual environment, helping it avoid detection by security analysts. The malware also performs device fingerprinting to identify whether it is operating on an Oppo, Samsung, or Google Pixel device, selectively activating certain features depending on the model.
Once active, the malware abuses Android’s Accessibility Services to gain elevated privileges. This allows it to simulate user actions, grant itself additional permissions, and even enable Device Administrator privileges. These steps give the trojan full control of the device, enabling it to launch overlays, read screen data, and record interactions within banking and cryptocurrency apps.
Researchers observed that BankBot-YNRK can impersonate Google News by replacing its own app name and icon, then opening news.google[.]com inside a WebView to appear legitimate. Meanwhile, in the background, the malware executes malicious commands such as taking photos, retrieving SMS messages, forwarding calls, and capturing clipboard data, including potential cryptocurrency wallet seed phrases or private keys.
The trojan connects to its C2 server through port 8181, where it exchanges device information, accessibility status, and a list of installed apps. The server responds with commands for data collection and control. In some cases, the malware uses a WebSocket connection on port 8989 to maintain live communication with the attacker.
BankBot-YNRK targets at least 62 financial apps, including mobile banking services across Asia and Europe. It has been confirmed to target cryptocurrency wallets such as Exodus, Trust Wallet, MetaMask, SafePal, Coinomi, and BitKeep. Through accessibility automation, it can open these wallets, scrape sensitive data, and perform unauthorized transactions.
Technical analysis also confirmed heavy code obfuscation using the “nmm-protect” package, persistence through Android’s JobScheduler, and advanced evasion logic. The malware’s comprehensive command set includes actions for installing or removing apps, unlocking screens, navigating interfaces, simulating clicks, sending SMS messages, and downloading or executing payloads.
DeliveryRAT Campaign
In a related discovery, Russian cybersecurity researchers from F6 Labs identified an updated version of another mobile threat called DeliveryRAT. This malware targets Russian Android device owners by disguising itself as food delivery or parcel tracking apps. It operates under a malware-as-a-service (MaaS) model and is advertised through a Telegram bot named “Bonvi Team.” Threat actors can buy access to ready-made APKs or phishing links that spread the malware through social media or chat apps.
Victims are often tricked into downloading DeliveryRAT after being approached on Telegram or WhatsApp with fake job offers or package notifications. Once installed, the app requests access to notifications and battery optimization settings so it can stay active in the background. It also gains permission to read SMS messages and call logs, hiding its icon from the launcher to avoid detection.
In some cases, DeliveryRAT is capable of performing distributed denial-of-service (DDoS) attacks by sending repeated requests to attacker-controlled URLs. It can also prompt users to scan malicious QR codes or visit phishing pages designed to harvest credentials. The threat has been active since mid-2024 and continues to evolve, adopting tactics seen in commercial spyware and banking trojans.
Broader Android Threat Landscape
The discovery of BankBot-YNRK and DeliveryRAT coincides with broader research from Zimperium that revealed over 760 Android apps misusing near-field communication (NFC) to steal payment data. These fake financial apps trick users into setting them as the default payment method, then exploit Android’s host-based card emulation (HCE) feature to capture contactless payment data and send it to remote servers or Telegram channels.
Many of the impersonated institutions are Russian, Brazilian, Polish, Czech, and Slovak banks. Stolen NFC data can be used instantly at point-of-sale terminals to withdraw funds or make purchases. This trend shows that Android’s financial threat landscape is expanding, with actors shifting from SMS phishing and credential theft to direct exploitation of payment and accessibility features.
Indicators of Compromise (IOCs)
ping[.]ynrkone[.]top (BankBot-YNRK C2) Plp[.]foundzd[.]vip Plp[.]e1in2[.]top Plp[.]en1inei2[.]top cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c (SHA-256) 19456fbe07ae3d5dc4a493bac27921b02fc75eaa02009a27ab1c6f52d0627423 (SHA-256) a4126a8863d4ff43f4178119336fa25c0c092d56c46c633dc73e7fc00b4d0a07 (SHA-256) com.westpacb4a.payqingynrk1b4a com.westpacf78.payqingynrk1f78 com.westpac91a.payqingynrk191a
How to Stay Protected
To protect against mobile threats like BankBot-YNRK and DeliveryRAT, experts recommend the following actions:
- Download apps only from trusted sources such as Google Play, and verify the developer’s identity before installation.
- Be cautious of applications requesting Accessibility Services or Device Administrator permissions.
- Update to Android 14 or higher, which restricts the misuse of accessibility permissions by malicious apps.
- Disable “Install unknown apps” on your device to prevent installation of rogue APK files.
- Use reputable mobile protection software like Malwarebytes to detect and remove hidden or obfuscated malware.
- Monitor for suspicious activity such as muted notifications, sudden performance drops, or apps disappearing from the launcher.
- If compromised, disconnect from the internet, perform a factory reset, and reset passwords for all banking and crypto accounts.
Android malware continues to evolve with tactics that blend technical sophistication and social engineering. BankBot-YNRK’s device profiling and crypto theft features, combined with DeliveryRAT’s deceptive distribution model, demonstrate that mobile security must remain a top priority for both users and organizations. Staying updated and using dedicated anti-malware tools are among the most effective ways to defend against these emerging threats.
Leave a Comment