Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers detailed two new Android malware families, FvncBot and SeedSnatcher, alongside an upgraded ClayRat version. Findings from Intel 471, CYFIRMA, and Zimperium highlight growing sophistication in mobile threats focused on robust data theft and financial fraud.

FvncBot, a banking trojan, is notably written completely from scratch, indicating independent development. It targets mobile banking users in Poland, masquerading as an mBank security application. FvncBot leverages keylogging via Android’s accessibility services, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) for financial fraud. Protected by the apk0day crypting service, deployment involves a dropper app prompting for a fake “Google Play component,” which uses a session-based approach to bypass Android 13+ accessibility restrictions. Log events are sent to naleymilva.it.com, with “call_pl” and “1.0-P” indicating early-stage Polish targeting. FvncBot requests accessibility for elevated privileges, registers with its C2 via HTTP, and receives commands via Firebase Cloud Messaging (FCM). Functions include WebSocket remote control, exfiltration of accessibility events, installed apps, and device info, along with serving malicious overlays. A “text mode” inspects screen content even when apps use FLAG_SECURE.

Concurrently, SeedSnatcher, distributed as “Coin” via Telegram, targets cryptocurrency wallet seed phrase theft. It intercepts SMS messages for 2FA codes, capturing device data, contacts, call logs, files, and sensitive information through phishing overlays. Operators are assessed as China-based/Chinese-speaking. SeedSnatcher employs advanced evasion techniques like dynamic class loading, stealthy WebView content injection, and integer-based C2 instructions, initially requesting minimal SMS access before escalating privileges.

Meanwhile, an improved ClayRat version abuses both accessibility services and default SMS permissions, enabling capabilities that facilitate full device takeover, automated device unlocking, and screen recording. ClayRat disseminates via 25 fraudulent phishing domains impersonating services like YouTube Pro and Russian taxi apps.

The aggressive abuse of Android’s accessibility services is a critical tactic across FvncBot, SeedSnatcher, and the upgraded ClayRat. These services, intended for user disabilities, are weaponized to grant attackers extensive control, enabling app monitoring, screen display overwrites, and keystroke logging. This underscores a severe threat landscape for Android users, particularly in mobile banking and cryptocurrency. The sophisticated evasion, targeted deployments, and expanding capabilities of these malware families necessitate robust mobile security practices, vigilant monitoring for suspicious app behavior, and careful scrutiny of application permissions, especially accessibility services. Ongoing vigilance from security professionals is critical to protect sensitive data and financial assets.

To read the complete article, see The Hacker News.