Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments.
A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
Sources
Related Stories
Android Banking Trojan Masquerades as News and ID Apps to Steal Credentials and Crypto
A sophisticated Android banking Trojan, identified as Android/BankBot-YNRK, has been discovered targeting users primarily in Indonesia and potentially other Southeast Asian countries. The malware disguises itself as legitimate applications, including news readers and digital ID apps such as "Identitas Kependudukan Digital," to trick users into installation. Once installed, it leverages Android's accessibility features and device administrator privileges to gain extensive control over the device, allowing it to read on-screen content, simulate user actions, and overlay fake login screens on top of real banking and cryptocurrency apps to harvest credentials. The Trojan employs advanced evasion techniques, such as checking for emulators to avoid detection, obfuscating its code, and muting device notifications to operate stealthily. It connects to a remote command-and-control server to exfiltrate sensitive data, including banking credentials and cryptocurrency wallet keys, and can receive further instructions to update itself or erase traces. The malware's primary objective is financial theft, enabling attackers to drain victims' bank accounts and crypto wallets without their knowledge. Security researchers note that the malware's abuse of accessibility permissions is mitigated in Android 14, which requires explicit user approval for such access, but devices running Android 13 and earlier remain vulnerable.
4 months agoAndroid Malware Campaigns Targeting Indian Users and Banking Apps
Researchers have identified new Android malware campaigns targeting users in India, with a focus on financial fraud and surveillance. The NexusRoute remote access trojan (RAT) was discovered impersonating the Indian e-Challan app and leveraging GitHub for distribution, enabling attackers to conduct UPI fraud and monitor victims' activities. In a separate but related campaign, the FvncBot Android banking trojan masquerades as a legitimate banking-security application, exploiting accessibility and VNC features to capture keystrokes, stream device screens, and inject fraudulent transactions directly from compromised devices. Both malware strains are notable for their ability to operate within genuine banking apps, allowing them to bypass traditional security checks and evade detection. These campaigns highlight the increasing sophistication of mobile threats in India, particularly those targeting financial transactions and personal data. Security experts recommend minimizing app permissions, sourcing apps only from trusted platforms, and implementing real-time behavioral monitoring to mitigate the risks posed by such advanced mobile malware.
3 months agoEmergence of Advanced Android Malware Targeting App Stores and Banking Credentials
A new wave of Android malware is leveraging sophisticated techniques to evade detection and compromise user devices. The Cellik malware-as-a-service (MaaS) platform enables cybercriminals to create trojanized versions of legitimate Google Play Store apps, embedding malicious payloads while preserving the original app's interface and functionality. This approach allows attackers to bypass security controls such as Play Protect and remain undetected for extended periods. Cellik offers features including real-time screen streaming, notification interception, filesystem browsing, data exfiltration, and a hidden browser mode for session hijacking, all managed through an encrypted command-and-control channel. In parallel, other Android malware campaigns such as NexusRoute and FvncBot are targeting users by impersonating trusted government and banking applications. NexusRoute focuses on Indian citizens by distributing fake mParivahan and e-Challan apps through phishing sites and GitHub repositories, enabling credential theft, device surveillance, and unauthorized financial transactions. FvncBot, meanwhile, disguises itself as a banking-security app and exploits accessibility and VNC features to capture keystrokes, stream screens, and inject fraudulent transactions within genuine banking apps. These developments highlight the increasing sophistication and commercial availability of Android malware, posing significant risks to mobile users and financial institutions alike.
3 months ago