Android Malware Mutes Alerts, Drains Crypto Wallets

TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTogether, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Android/BankBot-YNRK is currently targeting users in Indonesia by masquerading as legitimate applications.November 3, 2025Security researchers have uncovered a "highly capable" new mobile banking Trojan targeting Android users in Indonesia and possibly across other Southeast Asian countries.Like many Android banking Trojans, the new malware leverages Android's accessibility features to enable attackers to gain complete remote control over infected devices, intercept SMS messages and steal sensitive information, including passwords, cryptocurrency keys, and other personal data. According to threat intelligence vendor Cyfirma, the malware also uses obfuscation techniques to evade detection, checks for real devices versus emulators, hides its activities from the user, and employs persistent mechanisms to remain active even after reboots.Cyfirma researchers are tracking the Trojan as "Android/BankBot-YNRK" after finding three samples hidden inside legitimate-looking versions of "Identitas Kependudukan Digital," Indonesia's digital version of a national ID card. The security vendor's analysis showed the malware primarily targeting devices running Android 13 and earlier where it can gain the accessibility permissions required to execute its range of malicious activities. "Until Android 13, apps could bypass permission requests through accessibility features," Cyfirma explained in a recent blog post. "However, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface." Related:Ollama, Nvidia Flaws Put AI Infrastructure at RiskCyfirma's report did not specify how the operators of Android/BankBot-YNRK might be delivering the malware on victim devices. However, the fact that it's disguised as a legitimate government app that requires users to manually install the Android Package Kit (APK) suggests the malware primarily threatens users who sideload apps from outside official mobile app stores. It's a practice that security researchers have long warned against because it presents risks to mobile device users, especially in enterprise environments.Before launching any malicious activity, Android/BankBot-YNRK makes sure it is actually on a physical device. It then proceeds to determine the device manufacturer and model so it can deploy the appropriate device-specific, device-optimized functions on targeted models — which include Google Pixel and Samsung — while ignoring other models. Cyfirma found the malware to contain features that essentially disables all audio alerts on the device, including those associated with incoming calls, system notifications, and messages. "Such behavior is often employed to avoid user detection, ensuring that the malware can execute its payload or other malicious routines without drawing attention," Cyfirma said.Related:Critical Site Takeover Flaw Affects 400K WordPress SitesOnce victims grant Android/BankBot-YNRK accessibility permissions, the Trojan helps itself to privileges required to automate UI interactions, extract sensitive data, and perform unauthorized operations without direct user involvement. The malware tricks users into granting these permissions by launching a full-screen overlay in Indonesian that impersonates a "Personal Information Verification" prompt. The prompt instructs victims to wait while it silently enables all required permissions in the background, according to the vendor.One particularly troubling aspect of the malware is its ability to take real-time screenshots of the victim device to map the exact layout of banking apps, like where the password field and other buttons are located. It then uses this "skeleton" of the interface to automate inputs, steal credentials, execute fraudulent transactions and maintain persistence on compromised devices."The malware functions as a controller for cryptocurrency wallets, programmatically opening the wallet app and interacting with its interface via Accessibility services," Cyfirma said. "By automating UI actions and capturing on-screen content, it can extract sensitive information displayed in the wallet (e.g., seed phrases, private keys, or transaction confirmations) without the user’s consent." Related:Kimsuky Debuts HTTPTroy Backdoor Against South Korea UsersThe malware targets multiple cryptocurrencies and associated wallets including Bitcoin, Ethereum, Litecoin, and Solana. Android/BankBot-YNRK is among a growing number of Android Trojan's targeting crypto wallets.One of the obfuscation tactics that Cyfirma observed Android/BankBot-YNRK taking was to change its app name and icon to masquerad as Google News. The security vendor found the malware actually loading the real google.com inside a WebView while silently executing malicious activity in the background. For long-term persistence, one of the tricks the malware uses is to schedule recurring tasks capable of surviving reboots, via Android's JobScheduler feature. Android/BankerBot-YNRK represents the latest evolution in a rapidly expanding Android malware and threat landscape. Analysis by Intel471 earlier this year highlighted a sharp rise in 2024 of Android malware incorporating advanced capabilities such as keylogging, hidden virtual network computing (HVNC), remote control functions, and NFC relay exploitation. Intel471 researchers observed attackers increasingly deploying specialized droppers, with names like TiramisuDropper and the Brokewell Android loader, to bypass Android 13's accessibility restrictions and sideload malware onto victim devices. Intel471 also noted how the widespread availability of leaked source code has lowered the barrier to entry for nontechnical cybercriminals, accelerating both the development and monetization of malicious Android applications.Jai Vijayan, Contributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.2025 DigiCert DDoS Biannual ReportDigiCert RADAR - Risk Analysis, Detection & Attack ReconnaissanceThe Total Economic Impact of DigiCert ONEIDC MarketScape: Worldwide Exposure Management 2025 Vendor AssessmentThe Forrester Wave™: Unified Vulnerability Management Solutions, Q3 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesYou May Also LikeNov 13, 2025How AI & Autonomous Patching Eliminate Exposure RisksThe Cloud is No Longer Enough: Securing the Modern Digital PerimeterSecuring the Hybrid Workforce: Challenges and SolutionsCybersecurity Outlook 2026Threat Hunting Tools & Techniques for Staying Ahead of Cyber AdversariesPKI Modernization WhitepaperEDR v XDR v MDR- The Cybersecurity ABCs ExplainedHow to Chart a Path to Exposure Management MaturitySecurity Leaders' Guide to Exposure Management StrategyThe NHI Buyers GuideCopyright © 2025 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.