Millions at Risk as New Android Banking Trojans Spread Fast

Cybersecurity experts are warning Android users about two newly uncovered malware strains—BankBot-YNRK and DeliveryRAT—that disguise themselves as legitimate apps to steal sensitive information.

These Trojans have been linked to large-scale attacks targeting financial data, mobile banking apps, and digital wallets across multiple countries.

BankBot-YNRK Targets Banking and Crypto Apps

Researchers at CYFIRMA discovered that BankBot-YNRK hides inside counterfeit apps named IdentitasKependudukanDigital.apk, posing as Indonesia’s official digital identity app. Once installed, the malware immediately silences alerts and notifications, preventing victims from noticing suspicious activity.

The Trojan then collects device data, including the model, manufacturer, and operating system, and connects to a command-and-control server for further instructions. It can steal contacts, text messages, locations, clipboard contents, and stored login credentials.

Using Android’s accessibility services, it gains elevated privileges that allow it to monitor user activity, record on-screen data, and even take photos or videos without consent.

Fig 1. The permissions the BankBot-YNRK trojan has access to. (Source: CYFIRMA)

BankBot-YNRK is designed to specifically target financial platforms, including over 60 banking and cryptocurrency apps. It can overlay fake login screens, capture credentials, and automate unauthorized transactions. The malware also uses Android’s JobScheduler to ensure it restarts automatically after a reboot, maintaining long-term access to infected devices.

Devices running Android 13 or earlier are most vulnerable. Android 14, released in late 2023, introduced stronger controls that prevent apps from exploiting accessibility permissions for malicious purposes—a change that helps block this Trojan’s primary method of attack.

DeliveryRAT Spreads Through Fake Services

The second major threat, DeliveryRAT, is being distributed primarily across Russia through counterfeit parcel-tracking, food delivery, banking, and marketplace apps. Researchers from security firm F6 report that the malware is sold under a malware-as-a-service (MaaS) model via a Telegram bot known as “Bonvi Team.”

Attackers convince victims on messaging platforms to download these fake apps, often claiming they are needed to track packages or apply for remote jobs. Once installed, the apps request permission to access notifications, SMS messages, and battery settings—allowing the malware to operate quietly in the background.

Fig 2. DeliveryRAT requesting access to permissions. (Source: F6)

DeliveryRAT hides its app icon to avoid detection and is capable of collecting personal communications, contact lists, and call logs. Some variants can even perform distributed denial-of-service (DDoS) attacks by sending repeated requests to targeted websites, taking them offline.

Growing Trend of Mobile Payment Scams

Both malware families are part of a broader surge in Android attacks that exploit fake apps to steal financial data. A separate investigation by Zimperium identified over 760 fraudulent Android apps since April 2024 that misuse near-field communication (NFC) payment technology. These fake payment and banking apps prompt users to set them as default payment methods, allowing attackers to intercept contactless card data and drain accounts.

Affected regions include Russia, Brazil, Poland, the Czech Republic, and Slovakia, but experts warn similar tactics could spread globally.

To stay protected, users should avoid downloading apps from links shared over text or social media, check developer information carefully, keep their devices updated to the latest Android version and protect their devices with a trusted antivirus like Certo AntiSpy. With banking and digital payments now central to everyday life, securing mobile devices is more critical than ever.