Android Banking Trojans and Financial Malware Targeting User Data and Payments
Multiple new Android malware campaigns have been identified targeting users' financial data and payment methods. Researchers uncovered advanced banking trojans such as BankBot-YNRK and DeliveryRAT, which harvest sensitive information from compromised devices and employ sophisticated evasion techniques, including emulator detection and device-specific targeting. These trojans often masquerade as legitimate apps, such as Indonesia's digital ID application, and can mute device notifications to avoid detection by victims. In addition, a next-generation Android banking trojan has been observed hiding within digital ID apps, automating the theft of cryptocurrency wallets and evading analysis environments.
A separate large-scale scam involves over 760 malicious Android apps exploiting NFC and HCE technologies to steal payment card data globally. These apps facilitate unauthorized transactions by leveraging contactless payment features. The surge in Android-targeted financial malware highlights the growing risk to users' banking credentials, payment cards, and cryptocurrency assets, with attackers employing increasingly sophisticated methods to bypass security controls and evade user awareness.
Timeline
Nov 3, 2025
BankBot-YNRK and DeliveryRAT Android trojans are publicly detailed
Researchers disclosed technical findings on the Android malware families BankBot-YNRK and DeliveryRAT, describing their use in stealing financial information from victims. The public reporting of the discovery appeared on 2025-11-03.
Nov 3, 2025
Researchers disclose Android banking trojan hidden in digital ID app
Researchers revealed a next-generation Android banking trojan distributed through a fake or trojanized digital ID application, with capabilities including automated cryptocurrency wallet theft and emulator evasion. The disclosure was reported publicly on 2025-11-03.
Nov 3, 2025
Researchers uncover large-scale Android NFC card-theft campaign
Security researchers reported a global financial fraud operation using more than 760 Android applications that abuse NFC and Host Card Emulation features to steal payment card data. The campaign was publicly disclosed in reporting published on 2025-11-03.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Sources
Related Stories
Android Banking Trojan Masquerades as News and ID Apps to Steal Credentials and Crypto
A sophisticated Android banking Trojan, identified as Android/BankBot-YNRK, has been discovered targeting users primarily in Indonesia and potentially other Southeast Asian countries. The malware disguises itself as legitimate applications, including news readers and digital ID apps such as "Identitas Kependudukan Digital," to trick users into installation. Once installed, it leverages Android's accessibility features and device administrator privileges to gain extensive control over the device, allowing it to read on-screen content, simulate user actions, and overlay fake login screens on top of real banking and cryptocurrency apps to harvest credentials. The Trojan employs advanced evasion techniques, such as checking for emulators to avoid detection, obfuscating its code, and muting device notifications to operate stealthily. It connects to a remote command-and-control server to exfiltrate sensitive data, including banking credentials and cryptocurrency wallet keys, and can receive further instructions to update itself or erase traces. The malware's primary objective is financial theft, enabling attackers to drain victims' bank accounts and crypto wallets without their knowledge. Security researchers note that the malware's abuse of accessibility permissions is mitigated in Android 14, which requires explicit user approval for such access, but devices running Android 13 and earlier remain vulnerable.
1 months ago
Android Malware Campaigns Targeting Indian Users and Banking Apps
Researchers have identified new Android malware campaigns targeting users in India, with a focus on financial fraud and surveillance. The NexusRoute remote access trojan (RAT) was discovered impersonating the Indian e-Challan app and leveraging GitHub for distribution, enabling attackers to conduct UPI fraud and monitor victims' activities. In a separate but related campaign, the FvncBot Android banking trojan masquerades as a legitimate banking-security application, exploiting accessibility and VNC features to capture keystrokes, stream device screens, and inject fraudulent transactions directly from compromised devices. Both malware strains are notable for their ability to operate within genuine banking apps, allowing them to bypass traditional security checks and evade detection. These campaigns highlight the increasing sophistication of mobile threats in India, particularly those targeting financial transactions and personal data. Security experts recommend minimizing app permissions, sourcing apps only from trusted platforms, and implementing real-time behavioral monitoring to mitigate the risks posed by such advanced mobile malware.
1 months ago
Android Banking Trojans Spread via Fake Document Reader and KYC Apps
Researchers reported two Android banking malware campaigns using staged droppers to evade detection and steal financial data from mobile users. Zscaler ThreatLabz said a fake **Document Reader** app on Google Play was downloaded more than 10,000 times before removal and later fetched the **Anatsa** payload from a remote server, while CYFIRMA identified **KYCShadow** being distributed through fake KYC verification apps sent over WhatsApp to bank customers in India. In both cases, the initial apps appeared legitimate, then installed secondary malicious components designed to bypass early screening and analysis. Once deployed, the malware sought high-risk permissions to hijack accounts, intercept SMS-based one-time passwords, and overlay banking apps to capture credentials. Anatsa was reported to target more than **831 financial institutions** globally, including banks and cryptocurrency platforms, using obfuscation and anti-analysis techniques, while KYCShadow collected data such as mobile numbers, Aadhaar details, ATM PINs, and card information, then used Firebase Cloud Messaging and a full-tunnel VPN for command-and-control and traffic redirection. Researchers urged users to uninstall suspicious apps and avoid software delivered through messaging platforms, and advised defenders to monitor indicators including `jsonapi[.]biz`, `jsonserv[.]biz`, and `jsonserv[.]xyz`.
4 days ago