Executive Summary
In November 2025, cybersecurity researchers discovered the active deployment of two advanced Android trojans, BankBot-YNRK and DeliveryRAT, targeting users across multiple financial and delivery service platforms. The trojans infiltrated devices primarily through deceptive apps and phishing schemes, with BankBot-YNRK leveraging anti-analysis techniques to evade detection by testing for emulated and virtualized environments before unleashing its data theft capabilities. DeliveryRAT, meanwhile, provided attackers with remote access for layered exploitation. Both malware families are capable of harvesting sensitive personal and financial data, making banking credentials and payment details accessible to threat actors, potentially leading to significant financial losses and privacy violations for affected users and organizations.
This incident highlights the evolving sophistication of Android-targeted infostealers, which increasingly combine stealth, anti-analysis, and remote access tactics. The attack underscores the urgent need for organizations and end-users to enhance mobile threat defenses and rapidly adapt to emerging malware targeting the growing mobile financial ecosystem.
Why This Matters Now
Mobile banking and delivery apps are central to consumers and business operations, making infostealer trojans like BankBot-YNRK and DeliveryRAT a high-impact threat. Their proliferation signals a surge in targeted attacks leveraging new obfuscation and evasion techniques, requiring up-to-date security controls, continual monitoring, and user education to mitigate heightened risk across digital finance.
Attack Path Analysis
The attack began with the malicious BankBot-YNRK and DeliveryRAT Android trojans gaining initial access to mobile devices via social engineering or phishing. Once installed, the malware evaded automated analysis and explored device permissions to escalate privilege. The malware then attempted lateral movement to access additional sensitive data or communicate with other apps and processes. Command and control was established via encrypted or obfuscated outbound traffic to attacker-controlled servers. Exfiltration was performed by stealthily transferring harvested financial data and credentials over the network. The final impact included theft of sensitive financial information, leading to potential fraud and monetary loss.
Kill Chain Progression
Initial Compromise
Description
Users were tricked into installing malicious APKs containing BankBot-YNRK or DeliveryRAT trojans, granting the attacker foothold on the device.
MITRE ATT&CK® Techniques
Collect Credentials: Credentials from Password Stores
Input Capture
Access Sensitive Data or Credentials in Files
Download, Install, or Patch Applications
Exfiltration Over C2 Channel
Debugger Evasion
Subvert Trust Controls
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – User Identification and Authentication
Control ID: 8.2.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
NIS2 Directive – Incident Detection and Response
Control ID: Art. 21(2)d
CISA ZTMM 2.0 – Malware Prevention and Detection
Control ID: Device Security 2.DS-2
DORA – ICT Risk Management Framework
Control ID: Art. 9(2)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Banking/Mortgage
Android trojans BankBot-YNRK and DeliveryRAT directly target financial data, creating severe risks for mobile banking applications and customer financial information theft.
Financial Services
Infostealer malware threatens encrypted traffic and east-west security controls, compromising PCI compliance and enabling unauthorized access to sensitive financial transactions.
Telecommunications
Mobile network operators face infrastructure risks as Android trojans exploit device vulnerabilities, requiring enhanced threat detection and zero trust segmentation capabilities.
Information Technology/IT
IT sectors managing mobile device security must implement inline IPS and anomaly detection to prevent lateral movement and data exfiltration attacks.
Sources
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Datahttps://thehackernews.com/2025/11/researchers-uncover-bankbot-ynrk-and.htmlVerified
- New Android Trojans BankBot-YNRK and DeliveryRAT Target Financial Datahttps://cyberwarzone.com/2025/11/03/new-android-trojans-bankbot-ynrk-and-deliveryrat-target-financial-data/Verified
- BankBot YNRK Is Stealing Crypto And Bank Data In Total Silencehttps://dataconomy.com/2025/11/28/bankbot-ynrk-is-stealing-crypto-and-bank-data-in-total-silence/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Applying Zero Trust segmentation, egress policy enforcement, network encryption, threat detection, and traffic visibility would have limited the malware's movement, discovered anomalous traffic patterns, and blocked outbound exfiltration of sensitive data. CNSF controls focused on least-privilege, east-west isolation, and policy-driven egress filtering constrain the attack’s ability to achieve its objectives on cloud-connected endpoints.
Control: Threat Detection & Anomaly Response
Mitigation: Rapid detection and alert of suspicious app behavior within network flows.
Control: Zero Trust Segmentation
Mitigation: Contains malware spread from the initial app context to other device or cloud resources.
Control: East-West Traffic Security
Mitigation: Blocks unauthorized lateral communication and detects suspect workload-to-workload movement.
Control: Cloud Firewall (ACF)
Mitigation: Inbound and outbound C2 channels are blocked or detected based on threat intelligence and policy.
Control: Egress Security & Policy Enforcement
Mitigation: Outbound data transfers to unauthorized endpoints are blocked or flagged.
Provides real-time visibility into anomalous access and data movements enabling faster containment.
Impact at a Glance
Affected Business Functions
- Mobile Banking
- Cryptocurrency Transactions
- Personal Data Management
Estimated downtime: 7 days
Estimated loss: $5,000,000
The malware targets sensitive financial data, including banking credentials and cryptocurrency wallet information, leading to unauthorized transactions and potential identity theft.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy east-west traffic controls and microsegmentation to prevent internal malware propagation.
- • Enforce granular egress filtering to block unsanctioned outbound connections and data exfiltration attempts.
- • Implement real-time anomaly detection and baselining to rapidly flag unusual network and application behaviors.
- • Enhance visibility across cloud and hybrid networks using centralized policy observability tools.
- • Regularly audit application permissions and apply least-privilege identity-based access throughout the environment.
