Full Report
Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild. The findings come from Intel 471, CYFIRMA, and Zimperium, respectively. FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What's notable about the malware
Analysis Summary
# Tool/Technique: FvncBot
## Overview
FvncBot is a newly discovered Android malware family designed to target mobile banking users, specifically those in Poland, by masquerading as a legitimate security application developed by mBank. It is notable for being written entirely from scratch, unlike many banking Trojans inspired by leaked source code.
## Technical Details
- Type: Malware family (Android Banking Trojan)
- Platform: Android
- Capabilities: Banking fraud, keylogging, screen streaming (HVNC), web-inject attacks, data exfiltration.
- First Seen: Implied to be recent (based on the article date of Dec 08, 2025).
## MITRE ATT&CK Mapping
*Note: Since the article describes specific behaviors, mappings are inferred based on the described functionality.*
- **TA0001 - Initial Access**
- T1438 - Data from Application Layer Protocol (Inferred via phishing/dropper distribution, though distribution method is unknown)
- **TA0005 - Defense Evasion**
- T1493 - Obfuscated Files or Information (Use of crypting service apk0day)
- **TA0006 - Credential Access**
- T1056.001 - Input Capture: Keylogging (Abusing Accessibility Services)
- **TA0008 - Lateral Movement**
- T1462 - Remote Services (Implied via HVNC/Remote Control)
- **TA0010 - Exfiltration**
- T1041 - Exfiltration Over C2 Channel (Exfiltrating logs, device info, and screen data)
- **TA0011 - Command and Control**
- T1105 - Inbound Connection Functionality (Receiving commands via FCM)
## Functionality
### Core Capabilities
- **Installation & Persistence:** Functions as a payload installed via a dropper disguised as a "Google Play component" update, utilizing a session-based approach to bypass Android 13+ accessibility restrictions.
- **Accessibility Abuse:** Gains elevated privileges by coercing the user to enable Android Accessibility Services.
- **Data Theft:** Exfiltrates accessibility events, a list of installed applications, and general device information to the controller.
- **Command and Control (C2):** Registers the infected device and fetches pending commands over HTTP using the Firebase Cloud Messaging (FCM) service.
### Advanced Features
- **HVNC/Screen Streaming:** Uses the Android MediaProjection API to stream the device screen content to the remote operator.
- **Remote Control:** Establishes a WebSocket connection to remotely control the device (swipe, click, scroll navigation).
- **Web-Injects & Overlays:** Receives configurations to serve malicious overlays on top of targeted banking applications to capture sensitive data.
- **Secure Screen Bypassing:** Implements a "text mode" feature to inspect screen layout and content, even if the target application attempts to block screenshots by setting `FLAG_SECURE`.
- **Protection:** Protected by the 'apk0day' crypting service offered by Golden Crypt.
## Indicators of Compromise
- File Hashes: Not specified in the excerpt.
- File Names: Masquerades as a security app developed by mBank.
- Registry Keys: Not applicable (Android platform).
- Network Indicators:
- C2 Endpoint: `naleymilva[.]it[.]com` (Used for sending log events)
- Communication Protocol: HTTP (for initial registration/command fetching via FCM) and WebSocket (for remote control).
- Behavioral Indicators:
- Prompting for Accessibility Service permissions immediately post-launch.
- Deployment using a session-based approach specific to newer Android versions (13+).
- Use of the Firebase Cloud Messaging (FCM) service for receiving remote commands.
## Associated Threat Actors
- Threat Actor: Not explicitly named, but Intel 471 reported the findings.
- Associated Infrastructure: Golden Crypt (provides the 'apk0day' crypting service).
## Detection Methods
- Signature-based detection: Requires knowledge of malware file hashes or unique binary signatures provided by the crypting service.
- Behavioral detection: Monitoring for unauthorized requests to enable Accessibility Services, abnormal usage of the MediaProjection API, or WebSocket connections initiated by a background security app.
- YARA rules: Not specified in the excerpt.
## Mitigation Strategies
- **User Education:** Caution users against installing apps masquerading as official security software, especially those originating outside official app stores.
- **Accessibility Control:** Users must be alerted to the dangers of granting Accessibility Service permissions to unknown or suspicious applications.
- **Android Security:** Ensure devices are running the latest versions to benefit from newer Android security features that restrict accessibility abuse.
## Related Tools/Techniques
- Albiriox (Similar banking malware mentioned in context).
- ERMAC (Cited as a comparison point for banking Trojans, though FvncBot is not inspired by it).
- SeedSnatcher (Another new malware family detailed in the same report).
- ClayRat (An upgraded version of an existing malware family also mentioned).