"FvncBot, which masquerades as a security app developed by mBank, targets mobile banking users in Poland. What's notable about the malware is that it's completely written from scratch and is not inspired by other Android banking trojans like ERMAC that have had their source code leaked. The malware "implemented multiple features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud," Intel 471 said."
"As soon as the dropper app is launched, users are prompted to install a Google Play component to ensure the security and stability of the app, when, in reality, it leads to the deployment of the malware by making use of a session-based approach that has been adopted by other threat actors to bypass accessibility restrictions on Android devices running versions 13 and newer."
Two new Android malware families, FvncBot and SeedSnatcher, have been disclosed while an upgraded ClayRat variant was observed in the wild. FvncBot impersonates an mBank security app and specifically targets mobile banking users in Poland. The malware is newly written from scratch and includes keylogging via Android accessibility services, web-inject attacks, screen streaming and hidden VNC (HVNC) capabilities. The app is protected by a crypting service (apk0day) and acts as a loader that deploys an embedded payload. The dropper uses a session-based approach to bypass Android 13+ accessibility restrictions and sends runtime logs to a remote server, identifying targets with a build tag and early version identifier.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]