“`html
A perilous new Android banking malware titled FvncBot was first detected on November 25, 2025. This malicious software is crafted to expropriate sensitive financial data by recording keystrokes, capturing screens, and injecting counterfeit login interfaces into banking applications.
The malware initially propagates through a fraudulent application masquerading as a security tool for mBank, a well-known Polish banking institution.
The application, termed “Klucz bezpieczeństwa mBank” (Security Key mBank), functions as a “loader.” When a user downloads and launches this counterfeit app, it clandestinely acquires and installs the main FvncBot payload.
To obscure its operations, the malware utilizes a known obfuscation service referred to as apk0day, making detection by security systems more challenging.
Experts assert that FvncBot is distinct from other banking malware. Rather than reusing code from prior threats like Ermac or Hook, its code appears entirely original.
FvncBot is exceedingly sophisticated and contains numerous formidable features to defraud victims:
| Feature | Description |
| Keylogging | Exploits Android Accessibility Services to capture every keystroke, including passwords, PINs, and OTPs. Logs as many as 1,000 events before exfiltrating via HTTP or WebSocket. |
| Web-Inject Attacks | Shows fraudulent overlay windows on legitimate banking applications to deceive users into entering credentials. Phishing pages are received from the command server. |
| Screen Streaming | Streams device displays in real-time using H.264 video compression for efficient bandwidth usage and continuous surveillance. |
| HVNC (Hidden VNC) | Facilitates remote device management by generating JSON UI element representations. Permits attackers to navigate, swipe, click, and input data. |
| Remote Command Execution | Utilizes WebSocket connection and Firebase Cloud Messaging (FCM) for near-real-time bidirectional communication with command servers. |
| Device Manipulation | Capable of locking the device, silencing audio, showcasing black overlays, launching programs, and inputting arbitrary data into text fields. |
| Code Obfuscation | Concealed using apk0day crypting service managed by the GoldenCrypt actor to evade detection and security scrutiny. |
They can swipe, click, and even input text to drain bank accounts while the phone appears locked or obscured.
The Intel471 discovery of FvncBot highlights the significance of acquiring applications solely from official sources, like the Google Play Store.
Users must be vigilant regarding “security updates” or banking applications located on third-party sites or received through direct messages, as these are prevalent traps deployed to distribute this type of malware.
“`