Security researchers have uncovered a "highly capable" new mobile banking Trojan targeting Android users in Indonesia and possibly across other Southeast Asian countries.

Like many Android banking Trojans, the new malware leverages Android's accessibility features to enable attackers to gain complete remote control over infected devices, intercept SMS messages and steal sensitive information, including passwords, cryptocurrency keys, and other personal data. According to threat intelligence vendor Cyfirma, the malware also uses obfuscation techniques to evade detection, checks for real devices versus emulators, hides its activities from the user, and employs persistent mechanisms to remain active even after reboots.
Weaponized Digital ID

Cyfirma researchers are tracking the Trojan as "Android/BankBot-YNRK" after finding three samples hidden inside legitimate-looking versions of "Identitas Kependudukan Digital," Indonesia's digital version of a national ID card. The security vendor's analysis showed the malware primarily targeting devices running Android 13 and earlier where it can gain the accessibility permissions required to execute its range of malicious activities.

"Until Android 13, apps could bypass permission requests through accessibility features," Cyfirma explained in a recent blog post. "However, with Android 14, this behavior is no longer possible, and users must grant permissions directly through the system interface."