Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan

Published On : 2025-10-29

Investigation Report: Android/BankBot-YNRK Mobile Banking Trojan

Executive Summary

This report covers the analysis and findings related to three Android application packages (APKs) assessed for malicious behavior. The objective of this assessment was to determine whether the samples exhibited any malicious functionality, assess their potential impact on mobile devices or user data, and identify indicators of compromise (IOCs) relevant to the client’s environment. Each sample was examined using static and dynamic analysis techniques. Detailed behavioral findings and technical indicators are provided in the subsequent sections of this report.

File Details:
1. File name: IdentitasKependudukanDigital.apk
File size: 23.88 MB (25039234 bytes)
SHA-256:
cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c

2. File Name: identitaskependudukandigital.apk
File size: 23.88 MB (25039234 bytes)
SHA256:19456fbe07ae3d5dc4a493bac27921b02fc75eaa02009a27ab1c6f52d0627423

3. File Name: identitaskependudukandigital.apk
File size: 23.88 MB (25039230 bytes)
SHA-256: a4126a8863d4ff43f4178119336fa25c0c092d56c46c633dc73e7fc00b4d0a07

Assessment

All three APK samples were identified as variants of the same malware family, which we have designated as Android/BankBot-YNRK, based on similarities in code structure, package naming conventions, and command-and-control (C2) communication patterns. Static and dynamic analyses were conducted to identify shared components, variant-specific modifications, and behavioral characteristics.

The following sections describe the results of the code analysis, focusing on the core malicious functionalities, permissions, and embedded network indicators observed across the samples.

Code Analysis:

We examined the decompiled APKs to identify malicious logic, hard-coded strings, and reused code patterns characteristic of the malware family.

Environmental Detection:

The malware specimen exhibits environment detection capabilities designed to determine whether it is operating within a virtualized or emulated environment. This functionality is typically used to evade dynamic analysis and hinder detection by automated sandbox systems.

During initialization, the code inspects device attributes such as manufacturer and model identifiers (e.g., Huawei, Honor, or emulator-specific strings) to assess whether it is running on a real device or within an emulator. Based on the detection result, the malware dynamically adds different “handler” or “checker” objects to a list (arrayList), which are subsequently stored in a static variable (f13205OOOO) for later use during runtime. This behavior is characteristic of anti-emulation techniques commonly employed to evade analysis in sandboxed or virtualized environments.

The O0oO() method performs manufacturer and ROM verification to determine whether the Android device belongs to the OPPO ecosystem. Specifically, it checks whether the device is manufactured by OPPO, branded as OPPO or Realme, or running an OPPO-based ROM such as ColorOS. This logic is typically used for environment profiling or device-specific behavior control within the malware’s execution flow:

The malware also includes logic to identify specific devices. It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models:

The malware implements a device-specific detection mechanism using a hash map that associates known device models with their corresponding screen resolutions. The hash map, stored in a static variable (f192OOOO), includes a range of Android devices from multiple manufacturers such as Xiaomi (Redmi), Samsung, Vivo, Oppo/Realme, Nokia, and Infinix. Each entry maps a device model string to its display resolution, allowing the malware to identify the device at runtime and potentially tailor its behavior based on the device type. This approach is commonly used for device targeting or to evade execution on unrecognized or unsupported devices, ensuring that malicious functionality is executed only on specific models.

Device data logging:

The method logDeviceInfo(String str) is used by the malware to collect and record detailed information about the infected device. It logs attributes such as the Android SDK version, OS release, brand, device name, build ID, hardware identifier, manufacturer, model, and product name. This data is captured through Android’s Build class and passed to a logging function (Logging.m73d) for storage or reporting. Such functionality constitutes device data logging, allowing the malware to profile the environment, tailor its behavior for specific devices, and potentially evade analysis on unrecognized or unsupported devices.

Obfuscation:

This malware has used “nmm-protect” to obfuscate the code, making analysis and reverse-engineering difficult:

Audio and Notification Suppression:

The malware includes functionality to silence the infected device by muting various audio streams. Upon resuming its activity, the code retrieves the system’s AudioManager and sets the volume of multiple streams—including music, ringtone, and notifications—to zero. This effectively disables audible alerts on the device, preventing the user from noticing incoming calls, messages, or other notifications. Such behavior is often employed to avoid user detection, ensuring that the malware can execute its payload or other malicious routines without drawing attention.

Accessibility-Based Permission Abuse (Android ≤ 13):

The malware is capable of receiving an “OPEN_ACCESSIBILITY” command from its command-and-control (C2) server. Upon receiving this command, it programmatically redirects the user to the device’s Accessibility Settings, prompting them to enable the malware’s accessibility service. By leveraging this mechanism, the malware can gain elevated privileges, including the ability to automatically interact with the device interface, bypass certain permission restrictions, and perform actions without direct user input. This technique is commonly observed in Android malware that abuses accessibility features to escalate permissions and maintain persistence.

The malware targets Android versions up to ‘13’, where it can obtain the required permissions via accessibility services to perform its operations.

Starting with Android 14, Google introduced stricter restrictions on the use of accessibility services to enhance user privacy and security. One of the key changes is the prohibition of using accessibility features to automatically request or grant app permissions. Until Android 13, apps could bypass permission requests through accessibility features; however, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface.

Persistence:

The malware implements persistence on the infected device using Android’s JobScheduler service. Upon starting, it schedules a recurring job (JobHandlerService) with a minimum latency and backoff period of 30 seconds, requiring a network connection to execute. The job is marked as persisted, ensuring that it remains scheduled even after device reboots. This mechanism allows the malware to maintain continuous operation on the device, automatically restarting its service at regular intervals and ensuring that its malicious routines are executed consistently without user intervention.

C2 commands:

The malware is capable of receiving a wide range of commands from its C2 (command-and-control) server, enabling comprehensive remote control over the infected device. These commands allow the malware to perform operations such as:

• Application management: install APKs, uninstall apps, refresh screens, and open apps.
• Device interaction: unlock screen, navigate home/back/recent/notifications, light or close the screen, simulate clicks, swipes, and gestures.
• Accessibility and system control: enable or disable accessibility services, set device admin privileges, and set input methods (IME).
• Data exfiltration: retrieve contacts, SMS messages, installed apps, device status, and location.
• Communication manipulation: call forwarding, cancel call forwarding, send SMS.
• Media and UI operations: take photos, hide floating windows or screen masks, set text in input fields.
• File operations: download files, execute unload or cancel unload routines.

By leveraging these commands, the malware can dynamically control the device, perform surveillance, manipulate the system interface, and maintain persistence, all under remote instruction from the attacker. This wide command set demonstrates the malware’s versatility and its focus on full device compromise.

Clipboard Data Access:

The malware accesses and captures the Android device’s clipboard content, potentially extracting sensitive information. It may silently steal data such as passwords, cryptocurrency keys, or other personal information without the user’s knowledge or consent.

Call Forwarding:

Upon receiving the “CALL_FORWARD” command, the malware can enable call forwarding on the device by constructing a command string that combines the prefix “21”, the provided input string, and a “#” character (e.g., 21*{str}#), which is the standard sequence for activating call forwarding. This allows the attacker to redirect incoming calls without the user’s knowledge or consent.

Device Admin Privileges:

The malware attempts to gain device administrator privileges on the Android device by first checking whether the app is already an active administrator. If it is not, the malware starts an intent that prompts the user to grant these permissions. Obtaining device admin rights allows the malware to perform high-level actions on the device, including preventing uninstallation, controlling certain system settings, and enhancing persistence.

Screen and UI Data Exfiltration:

The malware continuously captures screen contents and extracts UI metadata—including view bounds, package identifiers, class names, view IDs, textual content, and accessibility descriptions—to reconstruct a structural representation of application screens such as banking apps. This reconstructed “skeleton UI” is then used to drive automated input and exfiltrate credentials. Potential consequences include credential compromise, fraudulent transactions, and persistent unauthorized access.

Cryptocurrency and Wallet Targeting:

The malware functions as a controller for cryptocurrency wallets, programmatically opening the wallet app and interacting with its interface via Accessibility services. By automating UI actions and capturing on-screen content, it can extract sensitive information displayed in the wallet (e.g., seed phrases, private keys, or transaction confirmations) without the user’s consent. This capability enables unauthorized transactions, credential/key theft, and persistent fraudulent access to the victim’s crypto assets.

The Kotlin-based wallet automation controller leverages Android’s Accessibility permission to programmatically interact with cryptocurrency wallet apps (e.g., Exodus). It can open the wallet, navigate the UI, read on-screen content, and perform automated input actions.

An autoCloseBiometrics flag controls behavior around biometric prompts—when enabled, the controller will automatically dismiss or interact with biometric dialogs (it does not access raw fingerprint or face data). While it cannot extract biometric templates, the component can scrape any sensitive information rendered in the UI (balances, transaction details, seed phrases/private keys if displayed) and perform transactions or other actions as if a user were operating the device. In short, the component functions as a wallet bot that automates and scrapes wallet interfaces via Accessibility, enabling stealthy data theft and unauthorized transactions.

It targets multiple cryptocurrencies and associated wallets, including:

• Bitcoin
• Valor
• Exodus
• Status: Ethereum Crypto Wallet
• MetaMask
• Coinomi
• Coin98 Super Wallet
• AUTOS
• BitKeep
• Blockchain wallet
• imToken
• MeWallet
• Krystal
• SafePal
• Trust wallet
• TokenPocket

Impersonation via Google News Branding:

The malware has the capability to masquerade as Google News to deceive users and gain trust. When the GoAppLauncher activity is triggered, the code programmatically replaces the app’s identity — including name and icon — with Google News branding via an activity-alias configuration, effectively hiding the original application identity. It then loads the legitimate news.google.com site inside a WebView to reinforce the illusion that the user is interacting with the real Google News app. This identity-switching technique increases user confidence and reduces suspicion while the malicious app can continue unauthorized background activities.

Behavioral Analysis:

Upon execution, the malware immediately suppresses audio and notification volumes by setting multiple streams—including music, ringtone, and notifications—to zero. This effectively disables audible alerts on the device, preventing the user from noticing incoming calls, messages, or other notifications.

Network Communications:

It establishes communications with C2 at ping[.]ynrkone[.]top on port 8181 and sends the device identification string along with the application name that has infected the device:

Then it requests a list from the C2 of potential applications that it can target:

The C2 responds with the list of application names:

The response contains the following application names. All potential target applications are related to financial services, such as banks and money transfer services:

1. MoMo (com.mservice.momotransfer)
2. SCB Mobile Banking (com.vnpay.SCB)
3. MyVIB (com.vib.myvib2)
4. COB OMNI (com.ocb.omniextra)
5. Open Banking (ops.namabank.com.vn)
6. Sacombank pay (com.sacombank.ewallet)
7. SHB Mobile (vn.shb.mbanking)
8. Techcombank (vn.com.techcombank.bb.app)
9. TPBank Mobile (com.tpb.mb.gprsandroid)
10. VCB Digidank (com.VCB)
11. Vietin Bank (com.vietinbank.ipay)
12. VPBank NEO (com.vnpay.vpbankonline)
13. CAKE BANK (xyz.be.cake)
14. zalopay (vn.com.vng.zalopay)
15. ACB ONE (mobile.acb.com.vn)
16. Agribank (com.vnpay.Agribank3g)
17. Smart Banking (com.vnpay.bidv)
18. MB Bank (com.mbmobile)
19. chrome (com.android.chrome)
20. Sacombank mBanking (src.com.sacombank)
21. Namabank (ops.namabank.com.vn)
22. UCMobile (com.UCMobile.intl)
23. Maybank (com.maybank2u.life)
24. Hong Leong (my.com.hongleongconnect.mobileconnect)
25. Public Bank (com.engage.pbb.pbengage2my.release)
26. CimB Bank (my.com.cimb.ngb)
27. RHB Bank (com.rhbgroup.rhbmobilebanking)
28. Ambank Bank (com.ambank.ambankonline)
29. BSN Bank (com.bsn.mybsn)
30. Affin Bank (com.affin.AffinMobileBanking)
31. Bank Islam (com.iexceed.CBS)
32. Alliance Bank (com.alliance.AOPMobileApp)
33. Uob Bank (com.uob.my.infinity)
34. SBI Yono (com.sbi.lotusintouch)
35. SBI Yono Lite (com.sbi.SBIFreedomPlus)
36. ICICI (com.csam.icici.bank.imobile)
37. HDFC (com.snapwork.hdfc)
38. AXIS (com.axis.mobile)
39. Bank Of Baroda (com.bankofbaroda.mconnect)
40. Kotak Bank (com.msf.kbank.mobile)
41. test (com.mobile.test)
42. BCA (com.bca)
43. D-Bank PRO (com.dbank.mobile)
44. MobilePanin (com.panin.mobilepanin)
45. OCTO Mobile by CIMB Niaga (id.co.cimbniaga.mobile.android)
46. BRILink Mobile (id.co.bri.brilinkmobile)
47. Livin’ by Mandiri (id.bmri.livin)
48. SeaBank (id.co.bankbkemobile.digitalbank)
49. BNI Mobile Banking (src.com.bni)
50. BTN (com.dimasdev.btnppid_v2)
51. BANK NEO (com.bnc.finance)
52. BNI (src.com.bni)
53. BSI (com.bsm.activity2)
54. CIMB (id.co.cimbniaga.mobile.android)
55. BRI (id.co.bri.brimo)
56. OCBC (com.ocbcnisp.onemobileapp)
57. JATIM (co.id.bankjatim.prioritashaihaiproduction)
58. DBS (com.dbs.sg.dbsmbanking)
59. MAYBANK (id.com.uiux.mobile)
60. PERMATABANK (net.myinfosys.PermataMobileX)
61. JENIUS (com.btpn.dc)
62. MUALAMAT (com.muamalatdin)

The next communication sequence sends details about the infected device, including time zone, accessibility status (whether the malware’s accessibility service is enabled), phone brand, and battery optimization status for the malware:

C2 responds with “operation successful”:

The malware also sends details of installed applications—including their names, package identifiers, and version information—from the infected device to the C2 server. The C2 acknowledges receipt with an “operation successful” response:

The C2 address https[:]//ping[.]ynrkone[.]top[:]8181 hosts a chat room through which all infected devices communicate. It functions as an automated handler, sending and receiving specific data to and from each infected device:

The malware is capable of connecting to the C2 at ping[.]ynrkone[.]top using the WebSocket protocol on port 8989 via the Janus WebRTC server, as indicated by its WebRTC session initialization routines; however, no such communication was observed during analysis:

These malware specimens also attempt to load content through a WebView from the following domains, but the domain names could not be resolved:

1. Plp[.]foundzd[.]vip (specimen 1)
2. Plp[.]e1in2[.]top (specimen 2)
3. Plp[.]en1inei2[.]top (specimen 3)

No additional C2 commands were received during the analysis of the malware. Possible reasons include the malware detecting the analysis environment and intentionally withholding its true capabilities, remaining in a dormant or sleep state while waiting for a potential target application to be installed, or requiring specific conditions or triggers to initiate communication.

Malware Functionality Following Accessibility Access:

Once the malware obtains Accessibility permissions, it launches a full-screen overlay displaying a message in Indonesian that impersonates a “Personal Information Verification” prompt. The overlay instructs the victim to wait, effectively deceiving them while the malware performs background activities.

During this process, the malware enables all required permissions in the background:

The malware also runs the services required for its operations, such as RemoteService, LocalService, JobHandlerService – using Accessibility privileges:

The malware also adds itself as a Device Administrator app:

Capabilities of Android/BankBot-YNRK:

Environmental awareness and evasion:

• Detects virtualized or emulated environments to evade sandbox analysis.
• Verifies manufacturer and ROM details (e.g., OPPO, Realme, ColorOS).
• Uses device-specific model and resolution mapping via a hash map for profiling.

Persistence and self-protection:

• Registers persistent background jobs via JobScheduler with a 30-second backoff.
• Adds itself as a Device Administrator app to resist uninstallation.
• Uses accessibility services to re-enable privileges automatically after reboot.

Accessibility abuse:

• Requests and abuses Accessibility permissions to perform privileged actions.
• Automates UI navigation, clicks, swipes, and gestures.
• Interacts with device interface elements without user input.
• Launches overlays to impersonate legitimate prompts (e.g., “Personal Information Verification”).

Overlay and impersonation:

• Masquerades as Google News via GoAppLauncher activity and activity-alias configuration.
• Loads the legitimate news.google.com site inside a WebView to appear authentic.

Audio and notification suppression:

• Mutes audio streams (music, ringtone, notifications) to silence the device and prevent user awareness.

Command-and-control (C2) communication:

• Communicates with C2 server ping[.]ynrkone[.]top over port 8181.
• Exchanges device identifiers, installed app lists, and status data.
• Supports WebSocket communication on port 8989 via the Janus WebRTC server (not observed during testing).
• Receives an extensive command set enabling remote control, including app management, device interaction, and data theft.

Device and data manipulation:

• Enables and disables system features (e.g., Accessibility, admin privileges, IME).
• Controls screen state, unlocks device, and navigates system menus.
• Forwards or cancels call forwarding using MMI codes (21*{str}#).
• Exfiltrates sensitive data: contacts, SMS, app lists, device info, and location.
• Captures clipboard content to steal sensitive text data (passwords, crypto keys, etc.).

Cryptocurrency theft and automation:

• Functions as a wallet automation bot, interacting with apps like Exodus.
• Reads on-screen content and automates input actions via Accessibility.
• Extracts sensitive wallet data (balances, seed phrases, private keys) and performs unauthorized transactions.
• Uses the autoCloseBiometrics flag to dismiss biometric dialogs automatically.

Screen and UI surveillance:

• Continuously captures screen contents and extracts UI metadata (view IDs, bounds, package names, class names).
• Reconstructs a “skeleton UI” to perform automated actions and credential theft.

Command versatility:

• Executes diverse C2 commands: install/uninstall apps, send SMS, take photos, set text, download files, and more.
• Maintains persistent background communication with an automated “chat room” handler on the C2 server.

Conclusion

The analyzed samples, collectively identified as Android/BankBot-YNRK, represent a highly capable Android banking trojan designed to achieve full remote control of infected devices. By abusing accessibility services, it gains elevated privileges to automate UI interactions, extract sensitive data, and perform unauthorized operations. The malware demonstrates strong persistence through JobScheduler-based tasks and device admin privileges, while employing stealth mechanisms such as audio suppression and deceptive overlays to evade user detection.

Its ability to masquerade as legitimate applications (e.g., Google News) further enhances user deception and trust. Communication with the C2 server enables it to receive a wide range of commands for data exfiltration, device manipulation, and cryptocurrency theft. Overall, Android/BankBot-YNRK exhibits a comprehensive feature set aimed at maintaining long-term access, stealing financial data, and executing fraudulent transactions on compromised Android devices.

MITRE Mappings

No.	Tactic	Technique
1	Persistence (TA0028)	T1603: Scheduled Task/Job
2	Privilege Escalation (TA0029)	T1401: Device Administrator Permissions
3	Defense Evasion (TA0030)	T1633: Virtualization / Sandbox Evasion
4	Execution (TA0041)	T1516: Input Injection
5	Collection (TA0035)	T1417.002: GUI Input Capture T1513: Screen Capture T1414: Clipboard Data T1412: Capture SMS Messages
6	Discovery (TA0032)	T1418: Software Discovery / Application Enumeration
7	Command and Control (TA0037)	T1437.001: Web Protocols
8	Exfiltration (TA0036)	T1646: Exfiltration Over C2 Channel
9	Impact (TA0034)	T1616: Call Control

Indicators of Compromise

Indicator	Type	Description
cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c	SHA-256	APK
19456fbe07ae3d5dc4a493bac27921b02fc75eaa02009a27ab1c6f52d0627423	SHA-256	APK
a4126a8863d4ff43f4178119336fa25c0c092d56c46c633dc73e7fc00b4d0a07	SHA-256	APK
Ping[.]ynrkone[.]top	Domain	C2
Plp[.]foundzd[.]vip	Domain	C2
Plp[.]e1in2[.]top	Domain	C2
Plp[.]en1inei2[.]top	Domain	C2

Recommendations and Mitigations

User Awareness and Training:

• Educate users to download applications only from trusted sources such as the Google Play Store and verify app developers before installation.
• Encourage users to review requested permissions carefully, especially for apps requesting Accessibility Services, Device Admin, or SMS access.
• Warn users to be cautious of applications masquerading as legitimate services (e.g., Google News, banking apps).

Mobile Device Management (MDM) Controls:

• Implement MDM or EMM solutions to restrict the installation of apps from unknown sources and enforce security baselines across all managed devices.
• Monitor for apps that request Accessibility or Device Administrator privileges, and alert when such permissions are granted unexpectedly.

Network and C2 Detection:

• Block communication with known malicious domains and IPs (e.g., ping.ynrkone.top) at the network layer.
• Deploy network monitoring to identify suspicious outbound connections on uncommon ports (e.g., 8181, 8989).
• Use SSL/TLS inspection where feasible to detect and block C2 traffic using WebSocket or HTTP(S) protocols.

Application and System Hardening:

• Ensure all devices run the latest Android OS version (Android 14 or above), which enforces stricter restrictions on Accessibility service abuse.
• Disable or restrict developer options and USB debugging on production devices.
• Review and revoke unnecessary Accessibility and Device Admin permissions regularly.

Malware Detection and Response:

• Deploy reputable mobile endpoint protection (AV/EDR) solutions capable of detecting obfuscated malware (e.g., those using nmm-protect).
• Conduct periodic mobile threat hunting to identify indicators of compromise (IOCs) such as package names, URLs, and certificates linked to the Android/BankBot-YNRK family.
• Isolate and reset infected devices to factory settings after confirmed compromise.

Incident Response and Forensics:

• Preserve logs and forensic artifacts (network, app data, and user activity) from infected devices for analysis.
• Notify affected users if sensitive information (banking credentials, cryptocurrency wallet data, etc.) may have been exfiltrated.
• Coordinate with financial institutions and relevant CERTs to report the threat and mitigate ongoing campaigns.