BankBot-YNRK and DeliveryRAT Android trojans
Malware Activity
Summary
Hide ▲
Show ▼
Researchers uncovered BankBot-YNRK and DeliveryRAT Android trojans that steal sensitive data from compromised devices, increasing risk for mobile banking and payment users. BankBot-YNRK impersonates a legitimate app, evades analysis, and abuses accessibility services to harvest device and financial information. DeliveryRAT has been sold as malware-as-a-service since mid-2024 and is distributed through Telegram-based lures aimed at Russian Android users. Together, the families show how mobile trojans are being used to support credential theft, unauthorized actions, and broader fraud.
Related Happenings
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityAbout this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
BTMOB Android RAT no-code builder malware activity
Malware Activity
H score28
First: 26.05.2026 17:00
Last: 26.05.2026 17:00
Sources 1
About this happening:
**BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
BTMOB Android RAT no-code builder malware activity
Malware ActivityAbout this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...
Latest development: 29.05.2026 00:10
BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.
NGate malware trojanized HandyPay NFC-stealing variant
Malware Activity
H score34
First: 21.04.2026 12:00
Last: 21.04.2026 12:00
Sources 1
About this happening:
A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
NGate malware trojanized HandyPay NFC-stealing variant
Malware ActivityAbout this happening: A **new NGate variant** is stealing **NFC payment data** from **Android users in Brazil**, raising the risk of **unauthorized purchases** and **ATM cash withdrawals**. The malware...
Timeline
-
03.11.2025 13:14 2 articles · 8mo ago
Researchers uncover BankBot-YNRK and DeliveryRAT Android trojans
Initial DisclosureCYFIRMA described BankBot-YNRK as an Android trojan that evades emulation checks, targets specific devices, uses JobScheduler persistence, and contacts ping.ynrkone[.]top to harvest contacts, SMS messages, locations, installed apps, clipboard content, and financial data, while F6 said DeliveryRAT is an updated MaaS trojan distributed through the Telegram bot Bonvi Team and disguised as food delivery, marketplace, banking, and parcel-tracking apps for Russian Android users.
Show sources
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14
- Researchers Uncover BankBot-YNRK and DeliveryRAT Android Trojans Stealing Financial Data — thehackernews.com — 03.11.2025 13:14