Ethical Hacking News
Android banking malware has long been a thorn in the side of mobile device users, but recent developments have brought to light three new threats that are capable of stealing sensitive data with unprecedented ease. Read on to learn more about FvncBot, SeedSnatcher, and ClayRat, the latest Android malware families threatening data theft.
FvncBot, SeedSnatcher, and ClayRat are three new Android banking malware families that pose significant risks to mobile device users.FvncBot is a unique banking Trojan with advanced features like keylogging, web-inject attacks, and hidden virtual network computing (HVNC).SeedSnatcher is designed to steal cryptocurrency wallet seed phrases and supports intercepting incoming SMS messages for 2FA code theft.ClayRat has improved capabilities, including abuse of accessibility services, screen recording, notification harvesting, and persistent overlays.The malware families are disseminated through phishing domains and dropper apps that mimic legitimate Russian taxi and parking applications.Mobile device users need to be vigilant when installing new apps from third-party sources and stay up-to-date with the latest security patches.
Android banking malware has long been a thorn in the side of mobile device users, but recent developments in the field have brought to light three new threats that are capable of stealing sensitive data with unprecedented ease. The malware families dubbed FvncBot and SeedSnatcher, as well as the upgraded version of ClayRat, have been identified by various cybersecurity researchers as a potent combination that poses significant risks to mobile device users.
At the forefront of this new wave of Android malware is FvncBot, a banking Trojan that has been designed from scratch with multiple features in mind. According to Intel 471, the malware targets mobile banking users in Poland and implements several key features including keylogging by abusing Android's accessibility services, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC) to perform successful financial fraud. What's notable about FvncBot is that it has a completely unique source code that is not inspired by other Android banking Trojans.
The malware acts as a loader by installing the embedded FvncBot payload, and once launched, users are prompted to install a Google Play component to ensure the security and stability of the app. However, in reality, this leads to the deployment of the malware by making use of a session-based approach that has been adopted by other threat actors to bypass accessibility restrictions on Android devices running versions 13 and newer.
During the malware runtime, log events are sent to the remote server at the naleymilva.it.com domain to track the current status of the bot. The operators included a build identifier call_pl, which indicated Poland as a targeted country, and the malware version was set to 1.0-P, suggesting an early stage of development.
The core focus of FvncBot is on data theft, but another malware family dubbed SeedSnatcher has been identified by CYFIRMA as being designed to enable the theft of cryptocurrency wallet seed phrases. The stealer also supports the ability to intercept incoming SMS messages to steal two-factor authentication (2FA) codes for account takeovers, as well as capture device data, contacts, call logs, files, and sensitive data by displaying phishing overlays.
Researchers at CYFIRMA have assessed that the operators of SeedSnatcher are either China-based or Chinese-speaking based on the presence of Chinese language instructions shared via Telegram and the stealer's control panel. The malware leverages advanced techniques to evade detection, including dynamic class loading, stealthy WebView content injection, and integer-based command-and-control instructions.
Another malware family dubbed ClayRat has been identified by Zimperium zLabs as an improved version of its previous iteration. This upgraded version has been updated to abuse accessibility services along with exploiting its default SMS permissions, making it a more potent threat capable of recording keystrokes and the screen, serving different overlays like a system update screen to conceal malicious activity, and creating fake interactive notifications to steal victims' responses.
The expansion in ClayRat's capabilities facilitates full device takeover through accessibility services abuse, automated unlocking of device PIN/password/pattern, screen recording, notification harvesting, and persistent overlays. The malware has been disseminated via 25 fraudulent phishing domains that impersonate legitimate services like YouTube, advertising a Pro version for background playback and 4K HDR support.
Dropper apps distributing the malware have also been found to mimic Russian taxi and parking applications. Researchers Vishnu Pratapagiri and Fernando Ortega have noted that together, these capabilities make ClayRat a more dangerous spyware compared to its previous version where the victim could uninstall the application or turn off the device upon detecting the infection.
The discovery of FvncBot, SeedSnatcher, and ClayRat highlights the need for mobile device users to be vigilant when it comes to installing new apps from third-party sources. With the rise of Android malware, users are increasingly at risk of falling victim to cybercrime, particularly when it comes to data theft.
In light of this growing threat landscape, cybersecurity researchers have emphasized the importance of staying up-to-date with the latest security patches and taking proactive steps to protect mobile devices. By doing so, individuals can significantly reduce their chances of becoming a target for these new Android malware threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Threatens-Data-Theft-FvncBot-SeedSnatcher-and-ClayRat-Take-Center-Stage-ehn.shtml
https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html
https://cybersecuritynews.com/fvncbot-android-banking-attacking/
https://cybersecuritynews.com/seedsnatcher-android-malware-attacking-users/
https://cybersecuritynews.com/clayrat-android-malware-steals-sms-messages/
https://zimperium.com/blog/clayrat-a-new-android-spyware-targeting-russia
Published: Mon Dec 8 05:18:36 2025 by llama3.2 3B Q4_K_M
