FvncBot: The New Android Banking Malware Threatening User Security
A new and sophisticated Android banking malware, dubbed FvncBot, was first identified on November 25, 2025. This malicious software is engineered to steal sensitive financial information by logging keystrokes, recording screens, and injecting counterfeit login pages into legitimate banking applications.
Distribution Method:
FvncBot propagates through a deceptive application masquerading as a security tool for mBank, a prominent Polish financial institution. The fraudulent app, named Klucz bezpieczeństwa mBank (Security Key mBank), functions as a loader. Upon installation and activation by the user, it clandestinely downloads and installs the primary FvncBot payload.
Evasion Techniques:
To conceal its presence and evade detection by security systems, FvncBot employs an obfuscation service known as apk0day. This technique complicates the analysis and identification of the malware, enhancing its stealth capabilities.
Unique Codebase:
Unlike many banking malware variants that repurpose code from predecessors like Ermac or Hook, FvncBot’s codebase is entirely original. This novelty suggests a significant evolution in malware development, potentially making it more challenging to detect and mitigate.
Key Features and Functionalities:
1. Keylogging: FvncBot exploits Android Accessibility Services to capture every keystroke entered by the user, including passwords, Personal Identification Numbers (PINs), and One-Time Passwords (OTPs). It logs up to 1,000 events before transmitting the data to command and control servers via HTTP or WebSocket protocols.
2. Web-Inject Attacks: The malware displays fraudulent overlay windows on legitimate banking applications, deceiving users into entering their credentials into these counterfeit interfaces. These phishing pages are dynamically received from the command server, allowing for real-time updates and adaptability.
3. Screen Streaming: FvncBot streams the device’s screen in real-time using H.264 video compression. This feature enables attackers to monitor user activities continuously, facilitating the capture of sensitive information as it is entered.
4. Hidden Virtual Network Computing (HVNC): The malware enables remote control of the infected device by creating JSON representations of the user interface elements. This capability allows attackers to navigate the device, perform swipes, clicks, and input data, effectively granting them full control over the device’s operations.
5. Remote Command Execution: Utilizing WebSocket connections and Firebase Cloud Messaging (FCM), FvncBot establishes near-real-time, bidirectional communication with its command servers. This setup facilitates the execution of remote commands and the dynamic updating of malicious payloads.
6. Device Manipulation: The malware possesses the ability to lock the device, mute audio, display black overlays, launch applications, and input arbitrary data into text fields. These manipulations can occur while the device appears inactive or locked, further deceiving the user.
7. Code Obfuscation: FvncBot’s code is obfuscated using the apk0day crypting service, operated by the entity known as GoldenCrypt. This obfuscation is designed to evade detection and complicate security analysis, enhancing the malware’s persistence.
Implications and Recommendations:
The discovery of FvncBot underscores the critical importance of downloading applications exclusively from official sources, such as the Google Play Store. Users should exercise caution regarding security updates or banking applications found on third-party websites or received via direct messages, as these are common vectors for malware distribution.
To mitigate the risk of infection, users are advised to:
– Verify App Sources: Ensure that applications are downloaded from reputable and official app stores.
– Scrutinize Permissions: Be cautious of applications requesting excessive permissions, especially those related to Accessibility Services, which can be exploited by malware.
– Maintain Updated Security Software: Regularly update antivirus and anti-malware software to detect and prevent the installation of malicious applications.
– Stay Informed: Keep abreast of emerging threats and malware campaigns to recognize and avoid potential risks.
By adhering to these practices, users can significantly reduce their vulnerability to sophisticated malware like FvncBot and protect their sensitive financial information from unauthorized access.
