New Android malware, BankBot YNRK, poses a significant threat by silencing devices, stealing banking data, and draining cryptocurrency wallets within seconds of infection.
Android users are increasingly facing a surge in financial malware, with threats like Hydra, Anatsa, and Octo demonstrating how easily attackers can take control of a device. These malicious programs can read everything displayed on the screen and deplete bank accounts before users even realize something is amiss. While security updates have helped mitigate some of these threats, malware developers continually adapt their tactics. The latest variant, known as BankBot YNRK, is one of the most sophisticated yet, capable of silencing phones, taking screenshots of banking applications, reading clipboard entries, and automating transactions in cryptocurrency wallets.
BankBot YNRK operates by embedding itself within counterfeit Android applications that appear legitimate upon installation. Researchers at Cyfirma analyzed samples of this malware and found that attackers often disguise their malicious apps as official digital ID tools. Once installed, the malware begins to profile the device, collecting information such as brand, model, and installed applications. It checks whether the device is an emulator to evade automated security checks and maps known models to screen resolutions, allowing it to tailor its actions to specific devices.
To further blend in, BankBot YNRK can masquerade as Google News by altering its app name and icon, while loading the actual news.google.com site within a WebView. This deception allows the malware to operate unnoticed in the background. One of its initial actions is to mute audio and notification alerts, preventing victims from receiving any alerts about incoming messages, alarms, or calls that could indicate unusual account activity.
Once it gains access to Accessibility Services, the malware can interact with the device interface as if it were the user. This capability allows it to press buttons, scroll through screens, and read everything displayed on the device. Additionally, BankBot YNRK establishes itself as a Device Administrator app, complicating its removal and ensuring it can restart itself after a reboot. To maintain persistent access, it schedules recurring background tasks that relaunch the malware every few seconds as long as the phone remains connected to the internet.
Upon receiving commands from its remote server, the malware can exert near-complete control over the infected device. It sends device information and lists of installed applications to the attackers, who then provide a list of financial apps to target. This list includes major banking applications used in countries such as Vietnam, Malaysia, Indonesia, and India, as well as several global cryptocurrency wallets.
With Accessibility permissions enabled, BankBot YNRK can read everything displayed on the screen, capturing user interface metadata such as text, view IDs, and button positions. This information enables it to reconstruct a simplified version of any app’s interface, allowing it to enter login credentials, navigate menus, or confirm transactions. The malware can also set text within fields, install or uninstall applications, take photos, send SMS messages, enable call forwarding, and open banking apps in the background while the screen appears inactive.
In cryptocurrency wallets, BankBot YNRK functions like an automated bot, capable of opening applications such as Exodus or MetaMask, reading balances and seed phrases, dismissing biometric prompts, and executing transactions. Since all actions occur through Accessibility, the attacker does not require passwords or PINs; anything visible on the screen suffices for the malware to operate.
The malware also monitors the clipboard, meaning that if users copy one-time passwords (OTPs), account numbers, or cryptocurrency keys, that data is immediately sent to the attackers. With call forwarding enabled, incoming bank verification calls can be silently redirected, allowing the malware to act quickly and efficiently.
As banking trojans become increasingly sophisticated, users can adopt several habits to reduce the risk of compromise. Strong antivirus software is essential for detecting suspicious behavior early, alerting users to risky permissions, and blocking known malware threats. Many reputable antivirus programs also scan links and messages for potential dangers, providing an additional layer of protection against fast-moving scams.
To safeguard against malicious links that could install malware, users should avoid downloading APKs from unverified websites, forwarded messages, or social media posts. Most banking malware spreads through sideloaded applications that may appear legitimate but contain hidden malicious code. While the Google Play Store is not infallible, it offers scanning, app verification, and regular takedowns that significantly reduce the risk of installing infected applications.
Regularly updating system software is crucial, as updates often patch security vulnerabilities that attackers exploit. It is equally important to keep applications up to date, as outdated versions may contain weaknesses that can be targeted. Enabling automatic updates ensures that devices remain protected without requiring manual checks.
Using a password manager can help create long, unique passwords for each account, minimizing the risk of malware capturing sensitive information. Additionally, users should check if their email addresses have been exposed in past data breaches. Many password managers include built-in breach scanners to alert users if their credentials appear in known leaks.
Implementing two-factor authentication (2FA) adds an extra layer of security, requiring a confirmation step through an OTP, authenticator app, or hardware key. While 2FA cannot prevent malware from taking control of a device, it significantly limits the extent of what an attacker can do with stolen credentials.
Malware like BankBot YNRK exploits permissions such as Accessibility and Device Admin, which grant deep control over devices. Users should regularly review app permissions and uninstall any unfamiliar applications to spot potential threats early. By being vigilant and cautious about enabling special permissions, users can better protect themselves from these advanced threats.
As the landscape of mobile malware continues to evolve, it is crucial for Android users to remain informed and proactive in safeguarding their devices against threats like BankBot YNRK.
Source: Original article