A new and highly sophisticated mobile banking Trojan, dubbed Android/BankBot-YNRK, has emerged, targeting Android users across multiple regions. The malware, analyzed in-depth by Cyfirma, demonstrates advanced evasion, persistence, and credential theft techniques that could have severe implications for individuals and organizations worldwide.
A Trojan Built for Full Control
According to the investigation, Android/BankBot-YNRK is not just another banking Trojan. It combines traditional credential-stealing behavior with modern automation and remote-control capabilities, giving attackers almost complete control over infected devices. Once installed, the malware can mute all notifications and audio alerts, disguise itself as legitimate apps like Google News, and operate silently in the background.
The malware abuses Android’s Accessibility Services—intended to assist users with disabilities—to automate taps, navigate screens, and approve permissions without user consent. This feature allows it to extract sensitive data such as banking credentials, cryptocurrency wallet keys, and one-time passwords (OTPs). It can even forward calls, intercept SMS messages, and mimic legitimate banking interfaces to trick users into entering login details.
Targeting Both Banks and Cryptocurrencies
The threat actors behind Android/BankBot-YNRK appear to have cast a wide net. The malware’s command-and-control (C2) servers deliver a long list of targeted financial institutions across Southeast Asia, including MoMo, Vietin Bank, Maybank, DBS, and ICICI, among others. It doesn’t stop at traditional banks—cryptocurrency wallets such as MetaMask, Trust Wallet, SafePal, Coinomi, and Exodus are also explicitly targeted.
Using automated interface manipulation, the Trojan can access wallet apps, read displayed content like seed phrases or balances, and even initiate unauthorized transactions. This blend of banking and crypto theft capabilities makes it one of the more versatile and dangerous mobile Trojans seen in recent months.
Built to Stay Hidden
Android/BankBot-YNRK employs a range of anti-analysis and persistence mechanisms to stay undetected:
- It checks for virtual environments to evade sandbox analysis.
- It profiles devices by manufacturer, model, and screen resolution—tailoring its behavior to specific devices like Samsung, Oppo, and Xiaomi.
- It registers recurring background jobs to maintain persistence even after a reboot.
- It requests device administrator rights to prevent uninstallation.
To avoid raising suspicion, it changes its appearance, using Google News branding and legitimate-looking content within a browser window, while continuing malicious activities in the background.
Command and Control Network
The malware communicates with its C2 server at ping[.]ynrkone[.]top, sending device information, app lists, and user data. The C2 infrastructure also serves as a “chatroom” for controlling multiple infected devices simultaneously. Researchers observed additional malicious domains, including foundzd[.]vip and e1in2[.]top, suggesting a distributed infrastructure likely managed by organized cybercriminal groups.
What Makes It Different
While many Android Trojans rely on overlays or phishing screens, BankBot-YNRK goes further by integrating device automation and accessibility abuse to perform real actions on behalf of the user. Its stealth, persistence, and cross-platform financial targeting signal a growing convergence between mobile banking malware and crypto theft operations—a trend that cybersecurity experts expect to intensify.
10 Recommended Actions for Security Teams
- Educate users to download apps only from trusted sources such as the Google Play Store.
- Review app permissions carefully, especially for apps requesting Accessibility or Device Admin rights.
- Deploy mobile threat defense solutions capable of detecting obfuscated malware like those using nmm-protect.
- Implement Mobile Device Management (MDM) to block installation of apps from unknown sources.
- Update all Android devices to version 14 or higher to benefit from stricter accessibility security policies.
- Block known C2 domains and suspicious ports (8181, 8989) at the firewall level.
- Conduct periodic mobile threat hunting to identify infected devices or suspicious traffic.
- Restrict developer options and USB debugging on managed or enterprise-owned devices.
- Encourage password hygiene and MFA for banking and crypto accounts to minimize credential compromise.
- Isolate and reset any suspected infected devices, preserving forensic evidence for investigation.
For professionals in the Middle East and Africa, where mobile banking and fintech adoption are rapidly increasing, such malware poses a growing threat. Cybercriminals are increasingly adapting their campaigns to exploit local financial platforms and crypto exchanges. Organizations should therefore emphasize continuous awareness training through platforms like Saintynet Training and maintain regular security audits via Saintynet Cybersecurity.
The Bigger Picture
Android/BankBot-YNRK exemplifies the next generation of mobile cybercrime-highly automated, financially motivated, and engineered to blend seamlessly into legitimate digital ecosystems. As both personal banking and cryptocurrency management continue to migrate to mobile platforms, security awareness and proactive defenses are no longer optional-they are critical.
According to Cyfirma’s investigation, this malware family remains active, with new variants expected. Security professionals and users alike must remain vigilant, update their devices, and treat every unfamiliar app request with caution.
Conclusion:
Android/BankBot-YNRK is a stark reminder that the smartphone in your hand is as much a target as your corporate network. With its ability to manipulate device behavior, steal financial data, and mimic trusted apps, it represents a serious and evolving risk to both individuals and enterprises. Staying secure means staying informed through regular training, awareness, and a commitment to proactive mobile defense.
