Investigation Report Android/BankBot‑YNRK Mobile Banking Tro...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/
• Blog Title: Investigation Report: Android/BankBot‑YNRK Mobile Banking Trojan
• Suggested Section: Phishing Methodology -> Mobile Phishing Malicious Apps

🎯 Content Summary

Post date: 2025-10-29
Family: Android/BankBot‑YNRK (three closely related APK variants)

Samples analyzed
1) File: IdentitasKependudukanDigital.apk | Size: 23.88 MB (25,039,234 bytes) | SHA‑256: cb25b1664a856f0c3e71a318f3e35eef8b331e047acaf8c53320439c3c23ef7c
2) File: identitaskependudukandigital.apk | Size: 23.88 MB (25,039,234 bytes) | SHA‑256: 19456fbe07ae3d5dc4a493bac27921b02fc...

🔧 Technical Details

Abuse Accessibility to bootstrap control (Android ≤ 13): Drive the user to Accessibility Settings (e.g., C2 command OPEN_ACCESSIBILITY) and enable a malicious service. Use Accessibility events/actions to automate permission dialogs, navigate UIs (click/swipe/gestures), and keep privileges across reboots. On Android 14+, this auto‑grant path is blocked; explicit user approval is needed.

Persistence via JobScheduler + Device Admin: Schedule a persisted job (e.g., JobHandlerService with ~30s backoff and network required, setPersisted(true)) and enroll as Device Admin (ACTION_ADD_DEVICE_ADMIN) to resist removal and re‑enable Accessibility after reboot.

Anti‑analysis device profiling: On startup, fingerprint environment and OEM/ROM (e.g., OPPO/Realme/ColorOS), and gate behavior by checking model→resolution maps (f192OOOO) and emulator strings, reducing exposure in s...

🤖 Agent Actions

I analyzed the CYFIRMA report on Android/BankBot‑YNRK and found several technical TTPs not yet explicitly covered in the existing “Mobile Phishing & Malicious App Distribution” page. I updated that page to include these techniques, keeping content concise and technical, and added the blog to the references.

What I added (in src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md):

• New section: “Accessibility-driven banker TTPs: JobScheduler + Device Admin + MMI call forwarding (BankBot‑YNRK)”
  • Accessibility bootstrap on Android ≤13 with note on Android 14+ requiring explicit user approval (and internal link to the Accessibility abuse page).
  • Persistence via JobScheduler with setPersisted(true), minimum latency/backoff, and required network; concise scheduling code snippet.
  • Device Admin enrollment flow with ACTION_ADD_DEVICE_ADMIN intent snippet.
  • Silent call redirection for OTP interception via MMI/USSD (21{NUMBER}#*) with a safe dialing example (Uri.encode) and CALL_PHONE caveat.
  • UI skeleton scraping approach for ATS automation: extracting bounds, class, package, viewId, text, contentDescription (compact code sketch).
  • Wallet automation note (seed phrase/balances, auto-dismiss biometrics with UI automation).
  • Masquerading via activity‑alias (swap icon/name to “Google News”) with a manifest snippet; WebView to news.google.com while running malicious flows/background overlay stall.
  • C2/traffic notes: HTTP tasking on :8181; optional WebSocket/WebRTC (Janus) control on :8989; target package list/tasking flow.
  • Anti-analysis/device profiling: Build/manufacturer/ROM/emulator checks; model→resolution gating concept; AudioManager muting for stealth (example code).
  • Focused hunting/detection heuristics for this stack (e.g., activity-alias icon swaps, MMI dialing patterns, AudioManager volume zeroing across streams, :8181/:8989 egress).

I preserved all existing content and integrated the new section before the RatOn case study for continuity. I also appended the CYFIRMA blog to the References section at the end.

Files modified:

• src/generic-methodologies-and-resources/phishing-methodology/mobile-phishing-malicious-apps.md

Reasoning for placement:

• The target techniques are mobile phishing/malicious application TTPs that complement existing sections (UPI WebView phish, Socket.IO smuggling, RatOn ATS). Adding a BankBot‑style section here maintains a single, consolidated repository of mobile phishing/trick delivery and banker RAT methodologies.

If you need me to extend to related Android hardening/detection pages, I can, but per instructions I kept the change to a single, most relevant file and added the reference at the end.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

📚 Repository Maintenance

• MD files processed: 907
• MD files fixed: 1

All .md files have been checked for proper formatting (headers, includes, etc.).

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.cyfirma.com/research/investigation-report-android-bankbot-ynrk-mobile-banking-trojan/

Content Categories: Based on the analysis, this content was categorized under "Phishing Methodology -> Mobile Phishing Malicious Apps".

Repository Maintenance:

• MD Files Formatting: 907 files processed (1 files fixed)

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0