Cybersecurity firm CYFIRMA has analyzed different samples of an Android trojan dubbed BankBot-YNRK, revealing its significant capability for harvesting sensitive data from compromised smartphones. The malware is designed to be evasive, first checking to see if it’s running in an emulated or virtualized environment. Furthermore, it extracts device details like the manufacturer and model name, specifically looking to confirm execution on a real device, including checking if it’s an Oppo running ColorOS, a Google Pixel, or a Samsung device on a predefined list. This selectivity allows the threat actors to apply device-specific functionality and avoid execution on unrecognized models, thus minimizing the risk of analysis.
The malware is distributed through APK packages named “IdentitasKependudukanDigital.apk,” likely a deceptive attempt to impersonate a legitimate Indonesian government application. Once installed, the malicious apps immediately go to work by collecting device information and setting various audio streams—like music, ringtone, and notifications—to zero volume. This stealthy tactic prevents the victim from being alerted to incoming calls, messages, or other in-app notifications while the malicious activity is underway. It then establishes communication with a remote server and requests the user to enable accessibility services upon receiving a command, a crucial step for the malware to gain elevated privileges and perform its malicious actions.
BankBot-YNRK’s ability to fully realize its goals is limited to Android devices running version 13 and below. This is because Android 14, released in late 2023, introduced a significant security feature preventing the automatic request or granting of additional application permissions via accessibility services. According to CYFIRMA, while apps could bypass permission requests through accessibility features up until Android 13, this behavior is no longer possible in the newest version, forcing users to grant permissions directly through the system interface. This change effectively puts a roadblock in the malware’s primary method for privilege escalation on the latest Android OS.
To maintain persistent access, BankBot-YNRK utilizes Android’s JobScheduler service to ensure it relaunches after a device reboot. Its extensive command-and-control capabilities allow it to gain device administrator privileges, manage other apps, redirect incoming calls using MMI codes, take photos, perform file operations, and widely harvest personal data. This data includes contacts, SMS messages, location information, lists of installed applications, and clipboard content. The trojan’s comprehensive toolkit underscores its primary objective of maintaining long-term access and enabling deep surveillance on compromised devices.
Among its more advanced features, the malware can impersonate Google News by programmatically changing its name and icon and launching a WebView of news.google[.]com to appear legitimate. For financial fraud, it targets a list of 62 financial applications, capturing screen content to reconstruct a “skeleton UI” of banking apps to steal credentials. Furthermore, it abuses accessibility services to automatically open cryptocurrency wallet apps and initiate unauthorized transactions. It often displays a fraudulent overlay message claiming personal information is being verified, all while it secretly requests extra permissions and adds itself as a device administrator, cementing BankBot-YNRK as a significant and sophisticated threat focused on financial theft and long-term compromise.
Reference:
