Emerging Threats in Android Malware
Cybersecurity researchers have unveiled two new families of Android malware, named FvncBot and SeedSnatcher, alongside an upgraded variant of the existing ClayRat malware. These findings stem from collaborative efforts by Intel 471, CYFIRMA, and Zimperium, highlighting the evolving landscape of mobile threats.
FvncBot presents itself as a security application developed by mBank, specifically targeting mobile banking users in Poland. What sets this malware apart is its originality; it has been crafted entirely from the ground up, without drawing inspiration from previously leaked Android banking trojans such as ERMAC. According to Intel 471, FvncBot incorporates a range of features designed for financial fraud, including:
- Keylogging through Android’s accessibility services
- Web-inject attacks
- Screen streaming
- Hidden virtual network computing (HVNC)
This malware utilizes a crypting service known as apk0day, provided by Golden Crypt, which allows it to function as a loader for the embedded FvncBot payload. Upon launching the dropper app, users are misled into installing what appears to be a Google Play component, which is actually a mechanism for deploying the malware. This approach cleverly circumvents accessibility restrictions on Android devices running versions 13 and above.
During its operation, FvncBot communicates with a remote server at the domain naleymilva.it.com, sending log events to track the bot’s status. The malware is identified with a build identifier call_pl, indicating its focus on Poland, and its version number, 1.0-P, suggests it is still in the early stages of development.
Once installed, FvncBot requests users to grant accessibility services permissions, which enables it to operate with elevated privileges. This access allows the malware to connect to an external server via HTTP, registering the infected device and receiving commands through Firebase Cloud Messaging (FCM). The functionalities of FvncBot include:
- Establishing and terminating WebSocket connections for remote control
- Exfiltrating logged accessibility events
- Gathering information about installed applications
- Collecting device data and bot configuration
- Delivering malicious overlays on targeted applications
- Capturing sensitive data through full-screen overlays
- Checking the status of accessibility services
- Logging keystrokes
- Streaming screen content using Android’s MediaProjection API
FvncBot also features a text mode that allows it to inspect the device’s screen layout, even when apps prevent screenshots by employing the FLAG_SECURE option. While the distribution method for FvncBot remains unclear, it is known that Android banking trojans often exploit SMS phishing and third-party app stores for propagation.
In contrast, SeedSnatcher, distributed under the guise of a cryptocurrency wallet app called Coin via Telegram, focuses on stealing cryptocurrency wallet seed phrases. This malware is capable of intercepting incoming SMS messages to capture two-factor authentication (2FA) codes, facilitating account takeovers, and gathering sensitive device information, contacts, call logs, and files through phishing overlays. The operators of SeedSnatcher are believed to be either based in China or Chinese-speaking, as indicated by the presence of Chinese language instructions within its control panel.
CYFIRMA noted that SeedSnatcher employs sophisticated techniques to evade detection, such as dynamic class loading and stealthy WebView content injection. Initially, it requests minimal permissions, like SMS access, but later seeks to escalate privileges to access the Files manager, overlays, and more.
Meanwhile, Zimperium zLabs has identified an enhanced version of ClayRat, which now exploits accessibility services and default SMS permissions, making it a more formidable threat. This upgraded variant is capable of recording keystrokes, capturing screen content, and presenting deceptive overlays that mimic system notifications to obscure its malicious activities. ClayRat has been distributed through 25 fraudulent phishing domains that impersonate legitimate services, including YouTube, and has been found in dropper apps posing as Russian taxi and parking applications.
Researchers Vishnu Pratapagiri and Fernando Ortega emphasized that the expanded capabilities of ClayRat enable complete device takeovers through the abuse of accessibility services, automated unlocking of device security, and persistent overlays, making it a significantly more dangerous spyware compared to its earlier iteration.
