Researchers have uncovered two Android trojans, BankBot-YNRK and DeliveryRAT, designed to steal financial data from compromised devices. BankBot-YNRK employs advanced evasion techniques by detecting virtualized or emulated environments and verifying device manufacturer and model to selectively activate its malicious payload only on targeted devices such as Google Pixel, Samsung, and Oppo devices running Android 13 or below. It masquerades as an Indonesian government app to lure victims and silences notifications to avoid detection. The malware abuses Android accessibility services to gain elevated privileges, automate UI interactions with banking and cryptocurrency wallet apps, and steal credentials and sensitive data including contacts, SMS, location, and clipboard content. It also uses Android's JobScheduler to maintain persistence after reboot and supports commands for device administration, call redirection, and file operations. DeliveryRAT, active since mid-2024, is distributed via a malware-as-a-service model through Telegram, targeting Russian users primarily but also affecting other regions. It impersonates delivery, marketplace, and banking apps, requesting notification and battery optimization permissions to harvest SMS, call logs, and run stealthily by hiding its icon. Some variants can launch DDoS attacks. Additionally, a related threat involves over 760 Android apps misusing NFC to steal payment data from contactless cards, targeting institutions in Russia, Brazil, Poland, Czech Republic, and Slovakia. Android 14's security enhancements prevent accessibility service abuse for permission escalation, limiting BankBot-YNRK's effectiveness on updated devices. These trojans represent a sophisticated threat to Android users, particularly those on older OS versions, with a focus on financial fraud and data theft.

For European organizations, especially financial institutions and their customers, these trojans pose a significant threat to confidentiality and integrity of financial data. The malware's ability to steal credentials, SMS, call logs, and clipboard data can lead to unauthorized transactions, identity theft, and financial fraud. The stealth features, such as silencing notifications and hiding app icons, increase the likelihood of prolonged undetected infections, amplifying potential damage. The targeting of specific device models common in Europe, such as Samsung and Google Pixel, increases the attack surface. The NFC-based payment data theft further threatens contactless payment security, affecting banks and users in Poland, Czech Republic, and Slovakia. The persistence and automation capabilities of BankBot-YNRK enable attackers to conduct fraudulent transactions without user awareness, potentially causing financial losses and reputational damage. DeliveryRAT's distribution via Telegram and phishing campaigns can lead to widespread infections among less tech-savvy users. Overall, these threats could disrupt financial operations, erode customer trust, and impose regulatory compliance challenges under GDPR and PSD2 frameworks.

European organizations should prioritize upgrading Android devices to version 14 or later to leverage enhanced security controls that block accessibility service abuse for permission escalation. Implement strict mobile device management (MDM) policies to restrict installation of apps from untrusted sources and enforce app vetting procedures. Monitor network traffic for connections to suspicious domains such as "ping.ynrkone.top" and block known command-and-control servers at the perimeter. Educate users to recognize phishing attempts, fake apps impersonating government or financial services, and to avoid granting accessibility or device administrator permissions to unknown apps. Deploy endpoint detection and response (EDR) solutions capable of identifying stealthy behaviors like notification silencing, icon hiding, and unauthorized use of accessibility services. Regularly audit installed apps and permissions on corporate devices, and implement anomaly detection for unusual app behaviors such as automated UI interactions or call redirection. For NFC payment security, banks should enhance transaction monitoring for anomalies and consider multi-factor authentication for contactless payments. Collaborate with mobile carriers and app stores to identify and remove malicious apps rapidly. Finally, establish incident response plans tailored to mobile threats and conduct regular security awareness training focused on mobile device risks.