Full Report
CERT Polska has analyzed an SGB-branded Android malware sample from the FvncBot campaign targeting Poland. The app installs a second-stage implant, coerces the victim into enabling accessibility, and registers the device to a backend that issues per-device credentials.
Analysis Summary
# Tool/Technique: FvncBot
## Overview
FvncBot is a multi-stage Android banking trojan and remote-control implant. The malware uses social engineering, specifically bank-themed lures (such as SGB in this variant), to trick users into installing a second-stage implant. Its primary goal is to gain full control over the device by abusing Android Accessibility Services, allowing it to record user activity, intercept data, and potentially perform unauthorized financial transactions.
## Technical Details
- **Type:** Malware Family (Banking Trojan / Remote Access Trojan)
- **Platform:** Android
- **Capabilities:** Multi-stage loading, Accessibility Service abuse, remote command execution, telemetry collection, and encrypted payload extraction.
- **First Seen:** Campaign analyzed March 2026 (Report date).
## MITRE ATT&CK Mapping
- **[TA0027 - Persistence]**
- [T1544 - Abuse Accessibility Features]
- **[TA0031 - Initial Access]**
- [T1475 - Deliver Malicious App via Facilitator]
- **[TA0038 - Execution]**
- [T1644 - Shared Modules] (Use of `DexClassLoader` for runtime loading)
- **[TA0037 - Command and Control]**
- [T1417 - Standard Application Layer Protocol] (HTTPS for C2)
- [T1635 - Encrypted/Encoded Payload] (RC4-like transformation on hidden assets)
## Functionality
### Core Capabilities
- **Multi-Stage Loading:** Uses an initial "loader" app to download and install a second-stage APK (`com.core.town`).
- **Persistence via Accessibility:** Coerces the victim into enabling "System Update" (Accessibility Services) to maintain control and bypass security prompts.
- **Dynamic Code Execution:** Employs `DexClassLoader` to load runtime installers from obfuscated files (e.g., `.txt` or `.jpg` extensions).
- **Device Registration:** Automatically registers the infected device to a backend API to receive per-device credentials and instructions.
### Advanced Features
- **Payload Concealment:** Hides the final malicious DEX file inside a nested asset (`qkcCg.jpg`) using an RC4-like encryption routine.
- **Task Management:** Periodically polls the C2 server for new commands via a `/commands?status=pending` endpoint.
- **Telemetry and Heartbeat:** Regularly sends device status and event batches to the attacker-controlled server to ensure the implant is active.
## Indicators of Compromise
- **File Hashes (SHA-256):**
- Outer Sample (`sgb.apk`): `96b47838ba48b881f4b8e007c5b8c2963db516556865695848ee252571fe5893`
- Embedded APK (`payload_grass.apk`): `b4708b853ff64530776e8179a748b7e9469eb88491bceaffe3bf16cfe366d75a`
- Hidden Asset (`qkcCg.jpg`): `3d980d21f116bd499bdd0b52b570cbb4ddcbf47aa2dd96b5aae43dbce51f6249`
- **File Names/Paths:**
- `tWyWeG.txt`
- `/data/user/0/com.junk.knock/app_tell/`
- **Network Indicators:**
- `https://jeliornic.it[.]com`
- `https://ruvofech.it[.]com` (Hosting site)
- `104.21.59[.]199` (C2 IP)
- **Behavioral Indicators:**
- Application requesting "Install unknown apps" permission immediately after launch.
- Prompting for "Accessibility Services" under the guise of a "System Update" or "Play Component."
## Associated Threat Actors
- Specifically associated with the **FvncBot campaign** targeting Polish banking users.
## Detection Methods
- **Signature-based:** Detection of the package names `com.junk.knock` and `com.core.town`.
- **Behavioral:** Monitoring for apps that use `DexClassLoader` to load code from the application's data directory or assets.
- **Heuristics:** Identifying apps that request high-privilege accessibility permissions while using system-sounding names like "Android V.28.11".
## Mitigation Strategies
- **Prevention:** Only install applications from the official Google Play Store.
- **Policy:** Enable Google Play Protect on all mobile devices.
- **Hardening:** Disable the "Install unknown apps" permission for all non-essential applications.
- **User Education:** Train users to recognize that legitimate banks will never ask to install a "Play Component" or "Security Update" via a manual APK download.
## Related Tools/Techniques
- **VNC/Screen Streaming:** Similar to other Android bots that use accessibility to "read" the screen or perform VNC-like remote control.
- **Droppers:** Functions similarly to the **TeaBot** or **FluBot** families in its use of multi-stage social engineering.