A dangerous new banking malware called FvncBot is targeting unsuspecting users of Android devices, leveraging sophisticated techniques to steal sensitive financial information. First observed in late November 2025, this attack highlights the ever-evolving landscape of cyber threats and underscores the need for vigilance.
FvncBot’s modus operandi revolves around a deceptive tactic known as “app injection.” Instead of relying on known exploits or code repurposed from older attacks like Ermac or Hook, FvncBot boasts entirely original code. This suggests an advanced level of technical expertise and potentially indicates the attacker is aiming for long-term success in this space.
The Anatomy of a Phishing Attack:
The malware initially spreads through a fake app disguised as a security tool for mBank, a popular Polish bank. This deceptive approach preys on user trust by appearing legitimate while secretly installing the FvncBot payload. This “loader” application then launches the main malicious operation.
How FvncBot Works:
To conceal its activities, FvncBot leverages a sophisticated obfuscation service called apk0day to make it more difficult for security systems to detect. This obfuscation process adds another layer of complexity and renders traditional anti-virus measures ineffective. This malware then employs various tactics to defraud victims:
- Keylogging: FvncBot utilizes Android’s Accessibility Services to capture every keystroke entered on the device, including passwords, PINs, and OTPs. This data is then sent through HTTP or WebSocket for exfiltration.
- Web-Inject Attacks: The malware inserts fake overlay windows on legitimate banking apps, tricking users into entering their credentials. These overlays are controlled by a command server that delivers phishing pages to the user.
- Screen Streaming and Device Control: FvncBot streams the device screen in real-time using H.264 video compression for efficient bandwidth usage and continuous monitoring. It also leverages HVNC (Hidden VNC) techniques to enable remote control of the device. This allows attackers to navigate, swipe, click, and even enter data into text fields on the user’s phone.
- Remote Command Execution: The malware uses a WebSocket connection and Firebase Cloud Messaging (FCM) for near-real-time bidirectional communication with command servers. This enables rapid execution of commands and facilitates constant interaction between attacker and victim.
The Importance of Vigilance and Best Practices:
With these advanced features, FvncBot poses a significant threat to bank users worldwide. It’s crucial that users remain vigilant and aware of potential attack vectors. Downloading apps exclusively from official sources like the Google Play Store is paramount. Avoid downloading banking apps from third-party websites or via direct messages as this often leads to malware distribution.