Cybersecurity researchers have uncovered two different Android Trojans called BankBot-YNRK and DeliveryRAT that can collect sensitive data from compromised devices.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware has built-in functionality to evade analysis efforts by first checking for execution within a virtualized or emulated environment and then extracting device details such as manufacturer and model name to confirm whether it is running on a real device.
BankBot-YNRK also checks whether the device is manufactured by Oppo or runs on ColorOS, a version of the Android operating system used in devices manufactured by Chinese original equipment manufacturers (OEMs).
“The malware also includes logic to identify specific devices,” CYFIRMA said. “It verifies whether the device is a Google Pixel or Samsung device and checks if the model is included in a predefined list of recognized or supported models. This allows malware to apply device-specific features and optimizations only to the targeted device, while avoiding running on unrecognized models.”
The names of APK packages that distribute malware are: All three apps are named “IdentitasKependudukanDigital.apk” and may be attempting to impersonate a legitimate Indonesian government app called “Identitas Kependudukan Digital.”
com.westpacb4a.payqingynrk1b4a com.westpacf78.payqingynrk1f78 com.westpac91a.payqingynrk191a
Once installed, the malicious app is designed to collect device information and set the volume of various audio streams such as music, ringtones, and notifications to zero, preventing affected victims from receiving incoming calls, messages, and other in-app notifications.
It also establishes communication with a remote server (‘ping.ynrkone’).[.]top”), “OPEN_ACCESSIBILITY” command prompts the user to enable accessibility services for purposes such as gaining elevated privileges or performing malicious actions.
However, this malware can only target Android devices running version 13 or lower. Android 14, released in late 2023, introduced new security features that prevent apps from using accessibility services to automatically request or grant additional permissions.
“Until Android 13, apps could bypass permission requests through accessibility features, but in Android 14 this behavior is no longer possible and users must grant permissions directly through the system interface,” CYFIRMA said.
BankBot-YNRK leverages Android’s JobScheduler service to establish persistence on the device to ensure it starts after reboot. It also supports a wide range of commands to gain device administrator privileges, manage apps, interact with the device, redirect incoming calls using MMI codes, take photos, perform file operations, collect contacts, SMS messages, location, list of installed apps, and clipboard contents.
Other features of this malware include:
Programmatically impersonates Google News by replacing the app’s name and icon and launching “news.google”[.]Capture screen content via WebView and reconstruct the “skeleton UI” of application screens, such as banking apps, to facilitate credential theft Abuse accessibility services to open cryptocurrency wallet apps from a predefined list, collect sensitive data and initiate fraudulent transactions Automate UI actions Obtain a list of 62 targeted financial apps Acts as a device administrator app in its own right, displaying an overlay message claiming that personal information is being verified while performing malicious actions such as requesting additional permissions or adding additional
“BankBot-YNRK exhibits a comprehensive set of capabilities aimed at maintaining long-term access, stealing financial data, and conducting fraudulent transactions on compromised Android devices,” CYFIRMA said.
This disclosure comes after F6 revealed that threat actors are distributing an updated version of DeliveryRAT targeting Android device owners in Russia under the guise of food delivery services, marketplaces, banking services, and package tracking applications. Mobile threats are assessed to be active starting in mid-2024.
According to the Russian cybersecurity company, the malware is promoted on a malware-as-a-service (MaaS) model through a Telegram bot named Bonvi Team, where users can access APK files or links to phishing pages that distribute the malware.
Victims are then approached on messaging apps such as Telegram and asked to download the malicious app as part of order tracking from a fake marketplace or for remote employment opportunities. Regardless of how you use it, the app requests access to notifications and battery optimization settings, collects sensitive data, and can run in the background without exiting.
In addition, malicious apps have the ability to access SMS messages and call logs, and hide their own icons from the home screen launcher, making it difficult for non-technical users to remove them from their devices.
Some iterations of DeliveryRAT also have the ability to perform distributed denial of service (DDoS) attacks by making simultaneous requests to URL links sent from external servers and initiating captured activities by making simultaneous requests to URL links sent to them or by tricking users into scanning a QR code.
The discovery of the two Android malware families is consistent with a Zimperium report that found more than 760 Android apps since April 2024 that exploit near-field communication (NFC) to illegally capture and send payment data to remote attackers.
These fake apps, disguised as financial applications, leverage Android’s host-based card emulation (HCE) to steal contactless credit card and payment data while prompting users to set it as their default payment method.
The information is relayed to Telegram channels or dedicated eavesdropping apps operated by threat actors. Stolen NFC data can be used to almost instantly withdraw funds from a user’s account or make purchases at a point of sale (PoS) terminal.
“About 20 institutions have been impersonated, primarily Russian banks and financial services, but also organizations in Brazil, Poland, the Czech Republic and Slovakia,” the mobile security company said.
Source link
