Cybersecurity researchers have identified a trio of evolving Android malware families – FvncBot, SeedSnatcher, and an updated ClayRat – that are significantly enhancing their data theft capabilities. These sophisticated threats pose a growing risk to mobile users, employing advanced techniques to compromise devices and steal sensitive information.

Key Takeaways

• FvncBot, a new banking trojan, targets Polish users with features like keylogging, screen streaming, and HVNC.

• SeedSnatcher focuses on stealing cryptocurrency seed phrases and intercepting two-factor authentication codes.

• An upgraded ClayRat now leverages accessibility services for full device control, screen recording, and overlay attacks.

FvncBot: A New Banking Trojan Emerges

FvncBot is a newly developed Android banking trojan that impersonates a security application from mBank, a Polish financial institution. Unlike other banking trojans, FvncBot is built entirely from scratch. It employs a range of malicious features, including keylogging through accessibility services, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) to facilitate financial fraud.

The malware is distributed via a dropper app that prompts users to install a fake "Google Play component" to ensure app security, which in reality deploys the FvncBot payload. This method, using a session-based approach, helps bypass accessibility restrictions on newer Android versions (13 and above). FvncBot registers infected devices with a remote server and receives commands via Firebase Cloud Messaging (FCM). Its capabilities include:

• Remote device control via WebSocket connection.

• Exfiltration of accessibility events, installed applications, and device information.

• Displaying malicious overlays to capture sensitive data.

• Abusing the MediaProjection API for screen content streaming.

• Utilizing a "text mode" to capture screen content even from apps that prevent screenshots.

While the current distribution method is unknown, typical vectors for such malware include SMS phishing and third-party app stores. Researchers note that FvncBot's targeting of Polish users may expand to other regions or impersonate different institutions.

SeedSnatcher: Targeting Cryptocurrency and Credentials

SeedSnatcher, distributed via Telegram under the name "Coin," is specifically designed to steal cryptocurrency wallet seed phrases. It also intercepts SMS messages to capture two-factor authentication (2FA) codes, enabling account takeovers. The malware can also exfiltrate device data, contacts, call logs, files, and sensitive information through phishing overlays.

Evidence suggests the operators of SeedSnatcher are China-based or Chinese-speaking. The malware employs advanced evasion techniques such as dynamic class loading and stealthy WebView content injection. It initially requests minimal permissions but escalates to access files, overlays, contacts, and call logs.

ClayRat: Enhanced Spyware Capabilities

An updated version of the ClayRat malware has been discovered, significantly boosting its spyware capabilities. This new iteration abuses accessibility services and exploits default SMS permissions to achieve full device control. Its enhanced features include:

• Keystroke logging and screen recording.

• Serving deceptive overlays, such as fake system update screens.

• Creating fake interactive notifications to harvest user responses.

• Automated unlocking of device PINs, passwords, or patterns.

ClayRat is disseminated through fraudulent phishing domains impersonating legitimate services like YouTube, advertising fake "Pro" versions. Dropper apps have also been found mimicking Russian taxi and parking applications. These expanded capabilities make ClayRat a more potent threat, potentially leading to a complete device takeover.

Sources

• Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features, The Hacker News.