FvncBot: The New Android Malware Exploiting Accessibility Services to Hijack Banking Credentials
A new and sophisticated Android banking malware, dubbed FvncBot, has emerged, posing a significant threat to mobile banking users, particularly in Poland. First detected on November 25, 2025, FvncBot masquerades as a legitimate security application from mBank, a prominent Polish financial institution. This deceptive approach enables the malware to infiltrate devices under the guise of enhancing security, only to compromise users’ financial information through advanced surveillance techniques.
Infection Mechanism
The attack begins when users download and install the counterfeit app named Klucz bezpieczeĹ„stwa mBank (Security Key mBank). Upon installation, the app prompts users to install an additional component, claiming it’s necessary for system stability. This step is a critical social engineering tactic designed to bypass security restrictions on modern Android devices. By obtaining these permissions, the malware ensures its persistent operation on the victim’s device.
Unique Codebase and Capabilities
Unlike many banking trojans that recycle code from previous malware, FvncBot’s codebase is entirely original. This uniqueness suggests the involvement of a new group of developers dedicated to creating this malicious software. FvncBot is equipped with several invasive features aimed at financial theft:
– Keylogging: By exploiting Android’s Accessibility Services, FvncBot captures every keystroke, including passwords, PINs, and one-time passwords (OTPs). It logs up to 1,000 events before transmitting the data to a remote server via HTTP or WebSocket.
– Web-Inject Attacks: The malware displays fake overlay windows on legitimate banking apps, tricking users into entering their credentials into these fraudulent interfaces.
– Screen Streaming: FvncBot streams the device’s screen in real-time using H.264 video compression, allowing attackers to monitor user activities continuously.
– Hidden VNC (HVNC): This feature enables remote control of the device by creating JSON representations of the user interface elements. Attackers can navigate, swipe, click, and input data, effectively controlling the device without the user’s knowledge.
– Remote Command Execution: Utilizing WebSocket connections and Firebase Cloud Messaging (FCM), FvncBot facilitates near-real-time bidirectional communication with command servers, allowing attackers to execute commands remotely.
– Device Manipulation: The malware can lock the device, mute audio, display black overlays, launch applications, and input arbitrary data into text fields, further enhancing its control over the infected device.
– Code Obfuscation: To evade detection, FvncBot employs obfuscation techniques using services like apk0day, making it challenging for security systems to identify and analyze the malware.
Exploitation of Accessibility Services
One of the most alarming aspects of FvncBot is its manipulation of Android’s Accessibility Services. After installation, the malware aggressively requests high-level privileges, guiding users to system settings to grant these permissions. Once enabled, FvncBot gains the ability to read on-screen text and monitor user interactions, including taps and gestures. This access allows the malware to harvest data from any open application, including secure banking portals. The collected information is then transmitted to a remote server, enabling attackers to exploit the data for fraudulent activities.
Recommendations for Users
To protect against such sophisticated threats, users are advised to:
– Download Apps from Official Sources: Only install applications from trusted sources like the Google Play Store. Avoid downloading apps from third-party websites or links received through unsolicited messages.
– Be Cautious of Permissions: Pay close attention to the permissions requested by applications. Be wary of apps that request extensive access, especially those related to Accessibility Services, without a clear justification.
– Keep Devices Updated: Regularly update your device’s operating system and applications to ensure you have the latest security patches.
– Use Security Software: Install reputable mobile security software to detect and prevent malware infections.
– Stay Informed: Keep abreast of the latest cybersecurity threats and trends to recognize potential risks and take appropriate precautions.
The emergence of FvncBot underscores the evolving tactics of cybercriminals and the importance of vigilance in the digital age. By adopting proactive security measures and maintaining a cautious approach to app installations and permissions, users can significantly reduce the risk of falling victim to such malicious attacks.
