Next-Gen Android Banking Trojan Hides in Digital ID App, Automates Crypto Wallet Theft and Evades Emulators
Ddos 
Cyfirma’s latest malware analysis has revealed a highly sophisticated Android banking trojan dubbed Android/BankBot-YNRK, which is actively targeting users across Southeast Asia through malicious clones of legitimate applications. The research uncovered three APK samples — all posing as Indonesia’s official “Identitas Kependudukan Digital” (Digital ID) app — that exhibited advanced evasion, persistence, and credential theft capabilities.
Cyfirma analysts determined that all three APKs belonged to the same malware family, sharing “similarities in code structure, package naming conventions, and command-and-control (C2) communication patterns.” The threat actors, believed to be financially motivated, appear to have repackaged the apps to disguise their malicious functionality and trick users into installing them.
The company noted that static and dynamic analyses revealed the malware’s core functions to include anti-emulation checks, device fingerprinting, accessibility service abuse, and real-time C2 communication for full device control. “Each sample was examined using static and dynamic analysis techniques,” Cyfirma explained, “to determine whether the samples exhibited any malicious functionality, assess their potential impact on mobile devices or user data, and identify indicators of compromise (IOCs).”
One of the most striking findings was the malware’s environmental detection capabilities. During initialization, Android/BankBot-YNRK determines whether it is running on a real device or within an emulator — an anti-sandbox evasion technique.
According to the report, “The malware specimen exhibits environment detection capabilities designed to determine whether it is operating within a virtualized or emulated environment.” This is done by inspecting manufacturer strings such as “Huawei,” “Honor,” or “OPPO” and cross-referencing them with a built-in hash map of screen resolutions tied to popular models from Xiaomi, Samsung, Vivo, and Realme.
Such profiling enables the malware to customize its behavior by device type, activating only on genuine phones to avoid detection by automated scanners.
Once executed, the malware abuses Android’s Accessibility Services to silently gain privileged access. Upon receiving a C2 command titled OPEN_ACCESSIBILITY, it automatically redirects users to the Accessibility Settings screen and prompts them to enable the malicious service.
Cyfirma explains, “By leveraging this mechanism, the malware can gain elevated privileges, including the ability to automatically interact with the device interface, bypass certain permission restrictions, and perform actions without direct user input.”
With Accessibility access granted, the trojan executes a wide array of commands — unlocking the screen, simulating user gestures, opening banking apps, forwarding calls, and even capturing clipboard data to steal sensitive information such as passwords or crypto keys.
The malware ensures persistence through Android’s JobScheduler service, scheduling recurring jobs every 30 seconds and marking them as “persisted” to survive reboots. It also registers itself as a Device Administrator app, making it difficult for victims to uninstall.
In addition, Android/BankBot-YNRK silences all system sounds by muting ringtone, media, and notification streams to prevent the user from noticing suspicious background activity — a feature Cyfirma described as “audio and notification suppression.”
The malware establishes persistent communication with its C2 server at ping[.]ynrkone[.]top on port 8181, sending device identifiers, installed app lists, and accessibility status. Cyfirma notes that the C2 server “hosts a chat room through which all infected devices communicate,” effectively functioning as a central handler for command distribution.
The C2 server’s target list reads like a who’s who of Southeast Asian financial institutions — including MoMo, Techcombank, BIDV, VietinBank, MB Bank, and ACB ONE, among others. This clearly indicates a regional focus on Vietnam, Indonesia, and Malaysia, with potential spillover into neighboring countries.
Beyond banking apps, the malware also targets cryptocurrency wallets, functioning as a fully automated wallet bot. Using Accessibility permissions, it opens and interacts with popular crypto apps such as MetaMask, Trust Wallet, Coin98, and Exodus, reading sensitive on-screen data like seed phrases or balances and performing unauthorized transactions.
Cyfirma writes, “The Kotlin-based wallet automation controller leverages Android’s Accessibility permission to programmatically interact with cryptocurrency wallet apps… It can open the wallet, navigate the UI, read on-screen content, and perform automated input actions.”
This automation extends even to biometric prompts, which the malware can automatically dismiss — enabling it to mimic legitimate user behavior and steal crypto assets invisibly.
In a further act of deception, Android/BankBot-YNRK can disguise itself as the Google News app, changing its name and icon dynamically via the GoAppLauncher activity. It even loads the legitimate news.google.com site in a WebView to maintain the illusion while operating malicious processes in the background.
This impersonation technique gives the malware an added social engineering advantage, increasing user trust while concealing its true purpose.
Donate