A new Android malware dubbed BankBot YNRK has been identified as one of the most advanced financial threats currently circulating. This malware can secretly stealth its way into a device, silence the phone, and begin to collect banking data and cryptocurrency wallets. It is one of the most advanced threats to date, as it can not only take screenshots of banking apps but also automate crypto transactions without user intervention. The malware has been found to hide itself as legitimate Android apps, often masquerading as official digital ID tools, helping it avoid detection by users and security systems.
Researchers at Cyfirma have analyzed samples of this malware and found that it can collect data about the device, such as the brand and model, as well as the installed apps. This helps it to evade automated security analysis by mimicking known device models. The malware can even map known models to screen resolutions, which is used to tailor its behavior to specific phones. To make it appear more legitimate, the malware can disguise itself by changing its app name and icon, then loading the real news.google.com site inside a WebView. While the victim believes the app is genuine, the malware runs its background services.
One of its first actions is to mute audio and notification alerts, preventing the victim from hearing incoming messages, alarms, or calls that might signal unusual account activity. It then requests access to Accessibility Services. Once granted, the malware can interact with the phone’s interface as if it were a user, allowing it to press buttons, scroll through screens, and read everything displayed on the device. BankBot YNRK also adds itself as a Device Administrator app, making it harder to remove and helping it restart itself after a reboot. It schedules recurring background jobs that relaunch the malware every few seconds as long as the phone remains connected to the internet.
Once the malware is activated, it can gain near-complete control of the phone, sending device information and installed app lists to the attackers. It receives a list of financial apps it should target, including major banking apps used in Vietnam, Malaysia, Indonesia, and India, as well as several global cryptocurrency wallets. With Accessibility permissions, the malware can read everything shown on the screen, capturing UI metadata such as text, view IDs, and button positions. Using this data, it can enter login details, swipe through menus, or confirm transfers. It can also set text inside fields, install or remove apps, take photos, send SMS, turn call forwarding on, and open banking apps in the background while the screen appears inactive.
Inside cryptocurrency wallets, the malware acts like an automated bot, opening apps such as Exodus or MetaMask to read balances and seed phrases, dismissing biometric prompts, and carrying out transactions. Since all actions happen through Accessibility, the attacker never needs the victim’s passwords or PINs. Anything visible on the screen is enough. The malware also monitors the clipboard, so if users copy OTPs, account numbers, or crypto keys, the data is sent immediately to the attackers. With call forwarding enabled, incoming bank verification calls can be silently redirected. All of these actions occur within seconds of the malware activating.
While banking trojans are becoming increasingly sophisticated and harder to detect, experts have outlined several steps that users can take to protect themselves. These include using reliable antivirus software that can catch suspicious behavior, avoiding downloading APKs from random sources, and regularly reviewing installed apps for any unfamiliar items. Experts also recommend turning on automatic updates for both the operating system and apps, as these can patch security issues that attackers might exploit. Other measures include using password managers to create long, unique passwords for each account and enabling 2FA to add an extra layer of security for sensitive information.
Users are also urged to be cautious of any apps that request unusual permissions, such like Accessibility or Device Admin, which can grant deep control over the phone. Regularly reviewing these permissions and uninstalling any apps that they do not recognize can significantly reduce the risk of unauthorized access. Additionally, it’s important to be aware of the potential risks of data brokers collecting and selling personal information, which can make users more susceptible to targeted attacks. By limiting the amount of personal data available online, users can reduce the likelihood of being targeted by scammers or malware.
Ultimately, staying safe from Android malware like BankBot YNRK requires a combination of proactive measures and regular vigilance. Users must remain informed about the latest threats and take steps to protect their personal information. By following these tips, users can effectively reduce their risk of falling victim to sophisticated malware attacks and safeguard their financial data.