Executive summary 2025-12-9 12:59:2 Author: www.intel471.com(查看原文) 阅读量:4 收藏
Executive summary
On Nov. 25, 2025, Intel 471 researchers observed a malicious application acting as a loader for an unattributed Android banking trojan. The application was disguised as a security app developed by mBank, one of the most recognized banks in Poland. The malware payload, dubbed FvncBot by Intel 471, implemented multiple features including keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud. While these features are common amongst today’s Android malware, this trojan is unique in that the code is completely new and is not based on source code leaks for other Android banking trojans such as Ermac or Hook.
Key takeaways
- On Nov. 25, 2025, Intel 471 researchers observed a malicious application acting as a loader of an unattributed Android banking trojan. The application was disguised as a security app of mBank, one of the most recognized banks in Poland.
- Intel 471 Malware Intelligence researchers coined the moniker FvncBot based on the malicious application package name com.fvnc.app.
- The loader application and the FvncBot payload were obfuscated with the well-known apk0day crypting service operated by the GoldenCrypt actor. The alignment of code in the loader and payload suggest the same developers may be behind both components.
- The malware payload implemented multiple features which include keylogging by abusing accessibility services, web-inject attacks, screen streaming and HVNC to perform successful financial fraud.
- The malware developers implemented the Firebase Cloud Messaging (FCM) service to dispatch commands and a WebSocket connection by abusing the Fast Reverse Proxy (FPR) tool for near-real-time, bidirectional communication — crucial especially during streaming the device screen and operating the infected device remotely.
Technical analysis
The threat actors distributed a malicious application under the guise of the “Klucz bezpieczeństwa Mbank” app (Eng. Security key Mbank) and targeted mobile banking users in Poland. The application acted as a loader by installing the FvncBot payload that is stored unencrypted in the assets. The code of both the loader and payload were obfuscated with the well-known apk0day crypting service, which GoldenCrypt operates.
Loader component
Once the loader application was launched, the user was shown information asking to install a “Play” component which ensures security and stability of the app. By clicking the green button “ZAINSTALUJ KOMPONENT” (Eng. Install component), the installation process began and the payload was executed with the click of the “AKTYWUJ” (Eng. Activate) button.
The image depicts a screenshot of the payload installation process captured Nov. 27, 2025.
Analysis of the loader app revealed the session-based package installer was leveraged to bypass accessibility restrictions for devices running Android 13 or newer. During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot. The operators included a build identifier call_pl, which indicated Poland as a targeted country, and the malware version was set to 1.0-P, suggesting an early stage of development.
The image depicts a screenshot of a function used to install a malware payload captured Nov. 27, 2025.
Payload application
The payload application asked the user to enable accessibility services to work properly, providing a step-by-step guide on how to proceed and a button directing to the system settings. If the user was tricked into elevating the malware’s privileges, it would start running in the background, and the infected device would then be registered with the command-and-control (C2) server. Ironically, upon a successful infection, the main view of the loader app is updated and states that all systems are operational and working properly.
The image depicts a screenshot of a process enabling the accessibility service of the payload application captured Nov. 27, 2025
The bot leveraged the hypertext transfer protocol (HTTP) network protocol to communicate with the control server. The payload data was stored in a JavaScript Object Notation (JSON) object and exfiltrated with no encryption. An example of an HTTP POST request sent to the /api/v1/devices/register endpoint to register a new bot is provided in the code snippet below.
{
"device_id": "device_<ID>",
"fcm_token": "<FCM_TOKEN>",
"build_id": "november1",
"device_info": {
"manufacturer": "Google",
"model": "Pixel 6",
"android_version": 28,
"app_version": "1.0-noicon",
"build_id": "november1",
"screen_width": 1440,
"screen_height": 2392
},
"optimization_stats": {
"manufacturer": "google",
"aggressiveness_score": 2,
"optimization_mode": "AUTO",
"optimization_level": "MEDIUM",
"needs_optimization": false,
"foreground_service_enabled": false,
"polling_enabled": false,
"polling_interval_ms": 0
}
}
On top of the HTTP network protocol for communication purposes, the malware developers implemented the FCM service to dispatch commands, related mainly to the bot configuration. For example, the enable_ws command could be sent by the botnet operators to establish a WebSocket connection by abusing the FPR executable contained in the payload application Android package kit (APK) file. The WebSocket connection was implemented for near-real-time, bidirectional communication — crucial especially during streaming the device screen and operating the infected device remotely.
The full list of supported commands handled with the FCM service includes:
The developers included several messages in the malware code to help them debug the behavior of the bot. Intel 471 researchers made appropriate patches in the dynamically loaded Dalvik executable (DEX) file to dump log messages and display them with the logcat tool. The image below depicts the messages related to the initialization of the WebSocket connection and keylogging events.
The image depicts a screenshot of the logcat tool output with bot debug messages captured Nov. 27, 2025.
Malware features
Keylogging
The FvncBot malware abused accessibility services to implement the keylogging feature, allowing it to silently spy on the infected user. The threat actors were able to sniff data from the text fields to capture sensitive data such as passwords or one-time password (OTP) codes. The captured events were logged in a buffer of fixed size (1,000 items) and exfiltrated in a batch with an HTTP request once the buffer limit was reached. Additionally, the bot was able to send an event log with no delay if the WebSocket connection had been established. The supported list of accessibility events captured with the keylogging module includes:
The image depicts a screenshot of a function used to log an accessibility event captured Nov. 27, 2025.
Web-inject attacks
The malware was capable of performing web-inject attacks to trick victims into providing personal or banking information. A list of targeted applications, their configurations and phishing page URLs were received from the controller and saved locally in a shared preferences file. Once an application from the list was launched, the bot created an overlay window and loaded a phishing lure from a remote location in a WebView component. A custom JavaScript interface served as a bridge to the application, allowing the bot to harvest and exfiltrate data to the controller after the victim submitted their credentials. The malware code snippet used to log the collected data is depicted in the figure below.
The image depicts a screenshot of a function used to log data collected from an overlay captured Nov. 27, 2025.
Screen streaming
Upon a specific command from the control server, the bot was capable of streaming the screen content by implementing the MediaProjection application programming interface (API). The image data was compressed with an H.264 video encoder, then each frame was properly processed to be transmitted over the network. While many Android banking trojans rely on sending joint photographic experts group (JPEG) messages for real-time streaming, the H.264 video compression standard is more efficient and features less bandwidth usage. It is clear the malware developers opted for a more complex video-encoding workflow, indicating their considerable technical expertise to achieve low-latency, continuous screen streaming.
The image depicts a screenshot of a function with H.264 encoder implementation captured Nov. 27, 2025.
Apart from the screen streaming feature, the bot featured a so-called “text mode,” commonly referred to as HVNC. This feature allowed the actors to thoroughly inspect the device screen layout and content even if the targeted application prevented taking screenshots with the FLAG_SECURE setting. By abusing accessibility services, the malware recursively created a JSON object of a user interface (UI) element with its children and transmitted data to the control server for full screen reconstruction. The following figure depicts a piece of code to capture a full device UI tree.
The image depicts a screenshot of a function implementing UI tree retrieval in “text mode” captured Nov. 27, 2025.
Remote control
The threat actors were able to remotely control the infected device by sending commands over a WebSocket connection. With support for different gesture events, such as swipe, click or scroll, the actors could easily navigate through the infected device screen. They could launch an application and enter arbitrary data into editable text fields as well as the clipboard. To cover their illicit activities, the device could be locked, muted and a black overlay displayed until the fraud was complete. A list of remote actions available to the bot operator includes:
This loader and malware combination employs many of the well-known yet successful techniques characteristic of today’s Android banking malware. The code behind it, however, is completely new, and it is not based on leaked source code from other Android trojans such as ERMAC or Hook. The distribution mechanism for this Android banking trojan is so far unknown. However, Android banking trojans have been observed being distributed outside of Google’s official mobile app store Play. Users may inadvertently stumble across malicious Android APKs during organic web searches that lead to phishing sites designed to deliver malicious applications impersonating real ones. Attackers have also used messaging platforms such as WhatsApp to deliver mislabeled banking applications that are actually malware. Masking banking malware as a legitimate application is a common ruse used to trick users into installing malware on their device.
Android’s accessibility service is intended to aid users with disabilities, but it also can give attackers the ability to know when certain apps are launched and overwrite the screen’s display.
Although this particular sample was configured to target Polish-speaking users, it is plausible we will observe this theme shifting to target other regions or to impersonate other Polish institutions. The list of targeted applications is fetched from the C2 server, allowing FvncBot operators to tailor the web-inject targets on demand, going beyond the campaign theme if needed.
Web-injects are intensive for malware developers to maintain, but they can deliver a wealth of personal information due to their customization. These injections can be written to collect OTPs, payment card information and other data, appearing to be normal fields on a service provider’s site. The more information attackers can collect, the more difficult it can be — but not impossible — for financial institutions to detect abnormalities that indicate successful account takeover (ATO).
Appendix: Indicators of compromise
Command-and-control server domains:
naleymilva.it.com
SHA-256 sums:
Loader - 584ac0cb4f0ec6cdc0f0646caed6de1d95aa232284252af51ae5dac741a9c0a3
Payload - 9d34cc48602f927f2d23510f2f7cbd1d041945d342d3dcf0773a1b996ca589e9
如有侵权请联系:admin#unsafe.sh