Android Malware Fvncbot, Seedsnatcher, And Clayrat Gain Stronger...
Cybersecurity researchers have disclosed details of two new Android malware families dubbed FvncBot and SeedSnatcher, as another upgraded version of ClayRat has been spotted in the wild.
The findings come from Intel 471, CYFIRMA, and Zimperium, respectively.
FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What's notable about the malware is that it's completely written from scratch and is not inspired by other Android banking trojans like ERMAC that have had their source code leaked.
The malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud," Intel 471 said.
Similar to the recently uncovered Albiriox banking malware, the malware is protected by a crypting service known as apk0day that's offered by Golden Crypt. The malicious app acts as a loader by installing the embedded FvncBot payload.
As soon as the dropper app is launched, users are prompted to install a Google Play component to ensure the security and stability of the app, when, in reality, it leads to the deployment of the malware by making use of a session-based approach that has been adopted by other threat actors to bypass accessibility restrictions on Android devices running versions 13 and newer.
"During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot," Intel 471 said. "The operators included a build identifier call_pl, which indicated Poland as a targeted country, and the malware version was set to 1.0-P, suggesting an early stage of development.
The malware then proceeds to ask the victim to grant it accessibility services permissions, allowing it to operate with elevated privileges and connect to an external server over HTTP to register the infected device and receive commands in return using the Firebase Cloud Messaging (FCM) service.
FvncBot also facilitates what's called a text mode to inspect the device screen layout and content even in scenarios where an app prevents screenshots from being taken by setting the FLAG_SECURE option.
It's currently not known how FvncBot is distributed, but Android banking trojans are known to leverage SMS phishing and third-party app stores as a propagation vector.
Source: The Hacker News
