FvncBot, disguised as a security application from mBank, is a novel Android banking trojan that specifically targets mobile banking customers in Poland. Notably, this malware was written entirely from scratch, showing no code inspiration from other leaked banking trojans. FvncBot employs multiple sophisticated features to execute financial fraud, including keylogging achieved by abusing Android’s accessibility services, performing web-inject attacks, enabling screen streaming, and utilizing Hidden Virtual Network Computing (HVNC) for remote control. The malware is also protected by a crypting service known as apk0day.
The initial malicious app acts as a loader, prompting users to install a fake “Google Play component” which, in reality, deploys the embedded FvncBot payload. This deployment uses a session-based technique to bypass accessibility restrictions on newer Android devices (version 13 and up). Upon launch, FvncBot asks for accessibility service permissions, granting it elevated privileges to register the infected device with a remote server and receive commands via the Firebase Cloud Messaging (FCM) service. Its capabilities include starting a WebSocket connection for remote device control (allowing swipes, clicks, and scrolls), exfiltrating logged accessibility events and lists of installed applications, displaying malicious overlays to capture sensitive data, and abusing the MediaProjection API to stream the screen content. The malware can also operate in a text mode to inspect screen layouts even when apps restrict screenshots.
SeedSnatcher focuses on stealing cryptocurrency wallet seed phrases and is distributed under the name “Coin,” often via Telegram. In addition to seed phrase theft, this malware can intercept incoming SMS messages to steal Two-Factor Authentication (2FA) codes, enabling account takeovers. It also captures various device data, including contacts, call logs, and files, by displaying phishing overlays. Researchers believe the operators of SeedSnatcher are either China-based or Chinese-speaking, based on Chinese language instructions found in the control panel. The malware leverages advanced evasion techniques such as dynamic class loading, stealthy WebView content injection, and integer-based command-and-control instructions. While initially requesting minimal permissions (like SMS access), it escalates privileges to access files, contacts, and call logs.
The third threat is an upgraded version of ClayRat, which researchers found has been enhanced to abuse accessibility services in addition to exploiting its default SMS permissions. This makes the updated ClayRat a more potent threat capable of recording keystrokes and the device screen. Furthermore, it can serve different overlays—such as a fake system update screen to conceal its malicious activity—and create fake interactive notifications to steal victims’ responses and data. These developments highlight the evolving tactics of threat actors who continuously refine their malware to bypass modern mobile security features and execute broader campaigns of financial and data theft.
Reference:
