Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild.
The findings come from Intel 471, CYFIRMA, and Zimperium, respectively.
FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What’s notable about the malware is that it’s completely written from scratch and is not inspired by other Android banking trojans like ERMAC that have had their source code leaked.
The malware “implemented multiple features including keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud,” Intel 471 said.
Similar to the recently uncovered Albiriox banking malware, the malware is protected by a crypting service known as apk0day that’s offered by Golden Crypt. The malicious app acts as a loader by installing the embedded FvncBot payload.
As soon as the dropper app is launched, users are prompted to install a Google Play component to ensure the security and stability of the app, when, in reality, it leads to the deployment of the malware by making use of a session-based approach that has been adopted by other threat actors to bypass accessibility restrictions on Android devices running versions 13 and newer.
“During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot,” Intel 471 said. “The operators included a build identifier call_pl, which indicated Poland as a targeted country, and the malware version was set to 1.0-P, suggesting an early stage of development.
The malware then proceeds to ask the victim to grant it accessibility services permissions, allowing it to operate with elevated privileges and connect to an external server over HTTP to register the infected device and receive commands in return using the Firebase Cloud Messaging (FCM) service.
 |
| FvncBot’s process enabling the accessibility service |
Some of the support functions are listed below –
- Start/stop a WebSocket connection to remotely control the device and swipe, click, or scroll to navigate the device’s screen
- Exfiltrate logged accessibility events to the controller
- Exfiltrate list of installed applications
- Exfiltrate device information and bot configuration
- Receive configuration to serve malicious overlays atop targeted applications
- Show a full screen overlay to capture and exfiltrate sensitive data
- Hide an overlay
- Check accessibility services status
- Abuse accessibility services to log keystrokes
- Fetch pending commands from the controller
- Abuse Android’s MediaProjection API to stream screen content
FvncBot also facilitates what’s called a text mode to inspect the device screen layout and content even in scenarios where an app prevents screenshots from being taken by setting the FLAG_SECURE option.
It’s currently not known how FvncBot is distributed, but Android banking trojans are known to leverage SMS phishing and third-party app stores as a propagation vector.
“Android’s accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen’s display,” Intel 471 said. “Although this particular sample was configured to target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions.”
While FvncBot’s core focus is on data theft, SeedSnatcher – distributed under the name Coin through Telegram – is designed to enable the theft of cryptocurrency wallet seed phrases. It also supports the ability to intercept incoming SMS messages to steal two-factor authentication (2FA) codes for account takeovers, as well as capture device data, contacts, call logs, files, and sensitive data by displaying phishing overlays.
It’s assessed that the operators of SeedSnatcher are either China-based or Chinese-speaking based on the presence of Chinese language instructions shared via Telegram and the stealer’s control panel.
“The malware leverages advanced techniques to evade detection, including dynamic class loading, stealthy WebView content injection, and integer-based command-and-control instructions,” CYFIRMA said. “While initially requesting minimal runtime permissions such as SMS access, it later escalates privileges to access the Files manager, overlays, contacts, call logs, and more.”
The developments come as Zimperium zLabs said it discovered an improved version of ClayRat that has been updated to abuse accessibility services along with exploiting its default SMS permissions, making it a more potent threat capable of recording keystrokes and the screen, serving different overlays like a system update screen to conceal malicious activity, and creating fake interactive notifications to steal victims’ responses.
 |
| ClayRat’s default SMS and accessibility permission |
The expansion in ClayRat’s capabilities, in a nutshell, facilitates full device takeover through accessibility services abuse, automated unlocking of device PIN/password/pattern, screen recording, notification harvesting, and persistent overlays.
ClayRat has been disseminated via 25 fraudulent phishing domains that impersonate legitimate services like YouTube, advertising a Pro version for background playback and 4K HDR support. Dropper apps distributing the malware have also been found to mimic Russian taxi and parking applications.
“Together, these capabilities make ClayRat a more dangerous spyware compared to its previous version where the victim could uninstall the application or turn off the device upon detecting the infection,” researchers Vishnu Pratapagiri and Fernando Ortega said.
