A newly identified Android banking trojan has surfaced, combining traditional overlay attacks with a concealed Virtual Network Computing (VNC) server to achieve comprehensive remote control over infected devices. First detected in late September 2025, this malware is disseminated through SMS-based phishing campaigns that entice users into installing a counterfeit security application.
Infection Mechanism
The attack initiates when a user receives an SMS message containing a link to download a malicious APK named BankGuard.apk. Upon installation, the application prompts the user to grant Accessibility Service and Device Administrator privileges, under the pretense of enhancing device security. These permissions enable the malware to intercept user inputs, capture screen content, and overlay fraudulent login pages on legitimate banking applications.
Simultaneously, the trojan activates a hidden VNC server that operates without the user’s knowledge. This server establishes a framebuffer, allowing attackers to remotely view and interact with the device in real-time. Consequently, cybercriminals can navigate the device interface, access sensitive information, and perform unauthorized transactions as if they were physically handling the device.
Advanced Evasion Techniques
To maintain persistence and evade detection, the malware employs several sophisticated strategies:
– Persistence Mechanisms: The trojan registers a broadcast receiver for the BOOT_COMPLETED event, ensuring the VNC service restarts upon device reboot. It also monitors screen state changes through the Accessibility Service to remain active during user interactions.
– Disabling Security Measures: By exploiting hidden system APIs, the malware disables Google Play Protect, preventing security updates or scans that could identify and remove the malicious application.
– Concealment Tactics: The trojan hides its application icon and masquerades under system-level names, making manual detection and removal challenging for users.
Implications and Recommendations
The integration of a hidden VNC server into this banking trojan signifies a significant escalation in mobile malware capabilities. Unlike traditional overlay attacks that rely on deceptive login screens, this approach grants attackers direct, real-time control over the device, facilitating more sophisticated and damaging exploits.
To mitigate the risk of infection, users are advised to:
– Exercise Caution with SMS Links: Avoid clicking on links from unknown or untrusted sources, especially those claiming to offer security updates or urgent alerts.
– Verify Application Sources: Only download applications from official app stores and verify the legitimacy of the developer before installation.
– Review Permissions Carefully: Be cautious when applications request extensive permissions, particularly those related to Accessibility Services and Device Administration.
– Maintain Updated Security Measures: Regularly update device software and security applications to benefit from the latest protections against emerging threats.
By adopting these practices, users can enhance their defenses against sophisticated malware threats and safeguard their personal and financial information.
