Cybersecurity analysts have uncovered significant updates in multiple Android threat campaigns. Two newly identified malware families, named FvncBot and SeedSnatcher, have come to light, while researchers also report an upgraded strain of ClayRat circulating in active attacks. These findings were published by Intel 471, CYFIRMA, and Zimperium.
FvncBot Targets Polish Banking Users With Advanced Fraud Features
FvncBot impersonates a security application from mBank to deceive victims in Poland. Unlike other malware derived from leaked banking trojan source code, this strain has been developed entirely from scratch.
Researchers noted that the malware delivers extensive capabilities, including keylogging via Android accessibility services, web injection, screen streaming, and hidden virtual network computing [HVNC] to perform financial fraud. The malware is shielded by apk0day, a crypting service linked to Golden Crypt.
The dropper application, once opened, prompts users to install a fake Google Play component. This process secretly deploys the malware using a session based technique commonly used to bypass accessibility restrictions on Android 13 and newer versions.
Intel 471 stated that during execution, the malware sends log data to the server at naleymilva.it.com and includes a build identifier named call_pl, confirming its focus on Polish victims. The version labeled 1.0 P indicates early stage development.
Once accessibility permissions are granted, the malware connects to an external server over HTTP and registers the infected device through Firebase Cloud Messaging [FCM] to receive commands.
Capabilities Observed in FvncBot
The malware supports various commands, including:
• Start or stop WebSocket based remote control
• Steal accessibility logs
• Exfiltrate installed applications
• Collect device information
• Deploy malicious overlays on targeted apps
• Capture sensitive data through full screen overlays
• Hide overlays
• Monitor accessibility status
• Log keystrokes
• Fetch pending controller commands
• Capture screen content using MediaProjection API
FvncBot can also operate in text mode to read screen layouts even when screenshots are blocked with FLAG_SECURE.
Although the exact infection method is unknown, Android banking malware commonly spreads through SMS phishing and unofficial app stores. Researchers warn that although this campaign currently targets Polish speakers, the theme may shift to other regions.
SeedSnatcher Steals Seed Phrases and SMS Codes
SeedSnatcher, distributed under the name Coin through Telegram, focuses on stealing cryptocurrency wallet seed phrases. The malware can also intercept SMS messages to steal two factor authentication codes, gather call logs, extract contacts, capture device information, and deploy phishing overlays.
CYFIRMA assessed that the operators are likely China based or Chinese speaking, based on Chinese language instructions distributed via Telegram.
The malware evades detection using techniques such as dynamic class loading, stealthy WebView injection, and integer based command instructions. It initially requests minimal permissions, then escalates access to files, contacts, and overlays.
ClayRat Updated With More Aggressive Spyware Features
Researchers at Zimperium zLabs have identified an enhanced version of ClayRat that incorporates accessibility service abuse and expanded SMS permissions. The malware now records screens and keystrokes, displays deceptive overlays like fake system update windows, and generates interactive notifications to steal user responses.
ClayRat has been distributed via 25 phishing domains that impersonate platforms such as YouTube by advertising a fake Pro version with 4K HDR streaming. Additional dropper apps have been found mimicking Russian taxi and parking apps.
The enhancements allow attackers to achieve full device access, persistent overlays, screen recording, automated unlocking of PIN or pattern, and extended notification harvesting. According to researchers Vishnu Pratapagiri and Fernando Ortega, these new abilities make the malware significantly more dangerous compared to earlier builds where victims could still detect and remove the infection.
Found this article interesting? Follow us on Twitter , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
