Cybersecurity researchers have shed light on two different Android trojans called BankBot-YNRK and DeliveryRAT that are capable of harvesting sensitive data from compromised devices.
According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it’s being executed on a real device.
BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that’s used on devices made by the Chinese original equipment manufacturer (OEM).
“The malware also includes logic to identify specific devices,” CYFIRMA said. “It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models.”
The names of the APK packages distributing the malware are listed below. All three apps go by the name “IdentitasKependudukanDigital.apk,” which likely appears to be an attempt to impersonate a legitimate Indonesian government app called “Identitas Kependudukan Digital.”
- com.westpacb4a.payqingynrk1b4a
- com.westpacf78.payqingynrk1f78
- com.westpac91a.payqingynrk191a
Once installed, the malicious apps are designed to harvest device information and set the volume of various audio streams, such as music, ringtone, and notifications, to zero to prevent the affected victim from being alerted to incoming calls, messages, and other in-app notifications.
It also establishes communication with a remote server (“ping.ynrkone[.]top”), and upon receiving the “OPEN_ACCESSIBILITY” command, it urges the user to enable accessibility services so as to realize its goals, including gaining elevated privileges and performing malicious actions.
The malware, however, is capable of targeting only Android devices running versions 13 and below, as Android 14, launched in late 2023, introduced a new security feature that prevents the use of accessibility services to automatically request or grant app additional permissions.
“Until Android 13, apps could bypass permission requests through accessibility features; however, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface,” CYFIRMA said.
BankBot-YNRK leverages Android’s JobScheduler service to establish persistence on the device and ensure it’s launched after a reboot. It also supports a wide range of commands to gain device administrator privileges, manage apps, interact with the device, redirect incoming calls using MMI codes, take photos, perform file operations, and harvest contacts, SMS messages, locations, lists of…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
