Android BankBot-YNRK: 2024 Indonesian Mobile Wallets Targeted by Muting Malware
Executive Summary
In 2024, a variant of the Android/BankBot malware known as YNRK targeted mobile users in Indonesia by disguising itself as legitimate applications, often distributed via third-party app stores or phishing campaigns. Once installed, the malware muted system alerts and abused accessibility services to perform unauthorized actions, including theft of credentials and the draining of cryptocurrency and mobile banking wallets. The attack leveraged overlays to capture user inputs and bypassed security mechanisms, resulting in significant financial losses for affected users, with widespread impacts across consumer mobile banking apps in the country.
This incident highlights the ongoing evolution and sophistication of mobile banking malware, which increasingly targets emerging markets and exploits weak security controls on non-official app stores. The rapid adoption of mobile wallets and cryptocurrency platforms has made these attacks more lucrative and frequent, intensifying the need for proactive mobile security, user awareness, and regulatory oversight.
Why This Matters Now
Android banking malware such as BankBot-YNRK continues to become more advanced, targeting regions with thriving mobile financial ecosystems and less mature detection capabilities. Given the surge in mobile payment adoption and the rapid development of malware evasion techniques, organizations and users must remain vigilant against attacks that can bypass device security and silently exfiltrate sensitive funds and credentials.
Attack Path Analysis
The attacker achieved initial compromise by distributing malware disguised as legitimate Android apps, tricking users into installing it. Upon installation, the malware requested excessive permissions, escalating its privileges on the device to gain control over notifications and accessibility functions. The malware likely conducted lateral movement by exploiting inter-app communications or abused device resources to remain persistent. It then established command and control with external servers, leveraging encrypted or covert channels to receive instructions. Sensitive crypto wallet data was exfiltrated using stealthy outbound traffic. Finally, the impact phase involved draining victims’ cryptocurrency and muting device alerts to delay detection.
Kill Chain Progression
Initial Compromise
Description
User was tricked into installing a malicious Android application masquerading as a legitimate app, resulting in code execution on the device.
Related CVEs
CVE-2023-20963
CVSS 7.8A vulnerability in Android's Accessibility Services allows malicious applications to gain elevated privileges, leading to unauthorized access and control over device functions.
Affected Products:
Google Android – < 14
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Masquerading
Deliver Malicious App via Authorized Store or Website
Access Sensitive Data or Credentials in Files
Input Capture
Steal Application Access Token
Modify System Notification Settings
Input Prompt (Phishing)
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Users and Personnel
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Program
Control ID: 500.02
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA ZTMM 2.0 – Deploy and Enforce Phishing-Resistant MFA
Control ID: Identity Pillar: Phishing-Resistant MFA
NIS2 Directive – Cybersecurity Risk Management and Reporting
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Android BankBot malware directly targets banking credentials and payment systems, posing critical threats to mobile banking infrastructure and customer financial data security.
Financial Services
Mobile banking malware campaigns exploit financial service applications, requiring enhanced mobile security controls and encrypted traffic monitoring for customer protection.
Telecommunications
Mobile network operators face increased security demands as Android malware spreads through app distribution channels, requiring enhanced threat detection capabilities.
Information Technology/IT
IT sectors must implement zero trust segmentation and anomaly detection systems to protect against mobile malware targeting enterprise mobile device management.
Sources
- Android Malware Mutes Alerts, Drains Crypto Walletshttps://www.darkreading.com/vulnerabilities-threats/android-malware-mutes-alerts-drains-crypto-walletsVerified
- BankBot YNRK Is Stealing Crypto And Bank Data In Total Silencehttps://dataconomy.com/2025/11/28/bankbot-ynrk-is-stealing-crypto-and-bank-data-in-total-silence/Verified
- New Android Trojans BankBot-YNRK and DeliveryRAT Target Financial Datahttps://cyberwarzone.com/2025/11/03/new-android-trojans-bankbot-ynrk-and-deliveryrat-target-financial-data/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, granular traffic visibility, and strong egress policy controls provide vital defenses against mobile malware by constraining lateral movement, monitoring outbound traffic, and detecting abnormal flows—preventing data loss and rapid exploitation across cloud-connected assets.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of new, unauthorized application or anomalous install behaviors.
Control: Zero Trust Segmentation
Mitigation: Prevents unauthorized privilege escalation from leading to broader network or app access.
Control: East-West Traffic Security
Mitigation: Lateral movement attempts are blocked or flagged by intra- and inter-workload traffic segmentation.
Control: Cloud Firewall (ACF) & Egress Security & Policy Enforcement
Mitigation: Outbound C2 communications are detected or blocked through policy-enforced filtering.
Control: Inline IPS (Suricata) & Encrypted Traffic (HPE)
Mitigation: Exfiltration attempts are observed or prevented by inline inspection and encrypted traffic policy.
Provides real-time insight into anomalous transactions and alert suppression behaviors.
Impact at a Glance
Affected Business Functions
- Mobile Banking
- Cryptocurrency Transactions
Estimated downtime: 7 days
Estimated loss: $5,000,000
Unauthorized access to sensitive financial data, including banking credentials and cryptocurrency wallet information, leading to potential identity theft and financial fraud.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to strictly limit workload and service interactions, constraining post-compromise lateral movement.
- • Enforce granular egress filtering and outbound policy controls to block unauthorized data exfiltration and command & control communications.
- • Deploy inline IPS and enable real-time threat detection to surface anomalous or signature-matching behaviors typical of malware-infected devices.
- • Leverage comprehensive multicloud visibility and centralized policy enforcement to swiftly identify suspicious traffic and drain attempts.
- • Regularly audit application permissions and enforce least-privilege principles to minimize the impact of compromised devices or user error.
