Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to malware
Malware

Android/BankBot-YNRK

Android/BankBot-YNRK is an Android mobile banking Trojan tracked by Cyfirma and described as targeting users in Indonesia, with possible targeting across other Southeast Asian countries. It is distributed via sideloaded APKs outside official app stores and has masqueraded as legitimate applications, including Indonesia's digital national ID app (Identitas Kependudukan Digital). The malware abuses Android accessibility features to obtain extensive control over infected devices, enabling remote control, automated UI interaction, SMS interception, and theft of sensitive data including passwords, cryptocurrency keys, seed phrases, and private keys. Reported capabilities include taking real-time screenshots to map banking app layouts, opening and interacting with cryptocurrency wallet apps, and facilitating fraudulent transactions. It targets multiple cryptocurrencies including Bitcoin, Ethereum, Litecoin, and Solana. The malware uses obfuscation to evade detection, checks for real devices versus emulators, hides its activity from users, disables audio alerts, and can change its app name and icon to masquerade as Google News while loading the real google.com in a WebView in the foreground. It also determines device manufacturer and model to deploy device-specific functions, with Google Pixel and Samsung devices specifically mentioned. For persistence, it uses Android JobScheduler to schedule recurring tasks that survive reboots. It primarily targets Android 13 and earlier, and uses a full-screen Indonesian-language overlay impersonating a 'Personal Information Verification' prompt to trick users into granting permissions.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
ACTIVITY FEED

Recent activity

2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

2 SOURCESView more in app
securityaffairsNews
Nov 9, 2025
SECURITY AFFAIRS MALWARE NEWSLETTER ROUND 70

A mobile banking trojan targeting Android devices, designed to steal banking credentials and financial information.

Read more
dark readingNews
Nov 3, 2025
Android Malware Mutes Alerts, Drains Crypto Wallets

Android/BankBot-YNRK is a sophisticated Android banking trojan that targets users primarily in Indonesia by masquerading as legitimate applications, such as the country's digital ID app. It abuses Android accessibility features to gain remote control, steal credentials, intercept SMS, and drain cryptocurrency wallets. The malware disables device alerts, takes real-time screenshots to map banking app interfaces, automates fraudulent transactions, and uses obfuscation and persistence techniques to evade detection and remain on devices.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.