"According to CYFIRMA, which analyzed three different samples of BankBot-YNRK, the malware incorporates features to sidestep analysis efforts by first checking its running within a virtualized or emulated environment, and then extracting device details such as the manufacturer and model name to ascertain if it's being executed on a real device. BankBot-YNRK also checks if the device is manufactured by Oppo, or is running on ColorOS, a version of the Android operating system that's used on devices made by the Chinese original equipment manufacturer (OEM)."
""The malware also includes logic to identify specific devices," CYFIRMA said. "It verifies whether the device is a Google Pixel or a Samsung device and checks if its model is included in a predefined list of recognized or supported models. This allows the malware to apply device-specific functionality or optimizations only on targeted devices while avoiding execution on unrecognized models.""
"The names of the APK packages distributing the malware are listed below. All three apps go by the name "IdentitasKependudukanDigital.apk," which likely appears to be an attempt to impersonate a legitimate Indonesian government app called "Identitas Kependudukan Digital." com.westpacb4a.payqingynrk1b4a com.westpacf78.payqingynrk1f78 com.westpac91a.payqingynrk191a Once installed, the malicious apps are designed to harvest device information and set the volume of various audio streams, such as music, ringtone, and notifications, to zero to prevent the affected victim from being alerted to incoming calls, messages, and other in-app notifications."
BankBot-YNRK performs environment checks to detect virtualization or emulation and extracts device details like manufacturer and model to confirm execution on a real device. The malware specifically checks for Oppo devices and ColorOS, and verifies whether a device is a Google Pixel or Samsung model included in a predefined list to enable device-specific functionality. The trojan sets audio streams (music, ringtone, notifications) to zero to suppress user alerts. The APKs impersonate an Indonesian government app by using the name IdentitasKependudukanDigital.apk and package names such as com.westpacb4a.payqingynrk1b4a. The malware establishes communication with ping.ynrkone[.]top and awaits commands like OPEN_ACCESSIBILITY.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]