Cybersecurity researchers have identified two Android trojan families, BankBot‑YNRK and DeliveryRAT, that are capable of harvesting credentials and other sensitive data from compromised devices. CYFIRMA analyzed three BankBot‑YNRK samples and reported the malware uses emulator checks and device manufacturer and model checks to avoid analysis and to target specific devices.
The BankBot samples were distributed in packages named IdentitasKependudukanDigital.apk and appear to impersonate an Indonesian government application. The apps mute audio streams, collect device information, contact a command server, and prompt users to enable accessibility services via an “OPEN_ACCESSIBILITY” command to gain elevated control; CYFIRMA said the code targets Android 13 and earlier because Android 14 restricts automatic permission bypass via accessibility.
CYFIRMA said BankBot‑YNRK uses Android JobScheduler to persist after reboot and supports commands to obtain device administrator privileges, manage apps, take photos, redirect calls using MMI codes, and exfiltrate contacts, SMS, location, installed‑app lists and clipboard contents. The malware can replace app icons and names to impersonate Google News, capture screen content to reconstruct application UIs, abuse accessibility to automate actions in cryptocurrency wallets and display overlays while requesting extra permissions.
Russian researchers at F6 revealed an updated DeliveryRAT variant that targets Russian Android users with fake food delivery, marketplace, banking and parcel‑tracking apps, and assessed the family has been active since mid‑2024. F6 also reported the malware is advertised as malware‑as‑a‑service through a Telegram bot offering APKs or phishing links, and that actors solicit targets via messaging apps to install apps presented as order trackers or remote job tools.
DeliveryRAT samples request notification access and battery optimization exemptions, can read SMS and call logs, hide their launcher icons and run in the background, and some iterations include routines to perform distributed denial‑of‑service actions. Zimperium has separately reported more than 760 Android apps since April 2024 that misuse NFC host‑based card emulation to steal contactless payment data and relay it to attackers for near‑instant fraud.
Researchers warned the campaigns target banking and financial services and have been observed impersonating institutions in Russia, Brazil, Poland, the Czech Republic and Slovakia.