If you use your Android phone daily to online banking, social media, work, or cryptocurrenciesYou're interested in learning more about what's happening with next-generation mobile malware. In recent months, three particularly dangerous families have been detected: FvncBot, SeedSnatcher, and ClayRat. These take attacks to a much higher level than typical viruses that simply display ads or slow down your phone.
Far from being simply annoying apps, these threats combine Sophisticated social engineering, abuse of accessibility services, screen overlays, and remote control to spy on the user, steal money from banks and crypto wallets, intercept SMS with 2FA codes, and even automatically unlock the device while it appears to be "off" or undergoing a supposed system update.
An increasingly aggressive Android malware landscape
The Android ecosystem is moving today Billions of devices that centralize payments, 2FA, private communications, and access to corporate servicesThis omnipresence has made the platform a favorite target for both financially motivated cybercriminal gangs and advanced actors (APTs) with possible state backing.
Investigations by firms like Intel 471, CYFIRMA and Zimperium They have uncovered campaigns where attackers combine obfuscated droppers, near-perfect phishing websites, and distribution via Telegram to sneak in malicious APKs. From there, the trick is to get the user to grant critical permissions: accessibility, reading and sending SMS messages, screen overlay, or even becoming the default messaging app.
These new malware families exploit legitimate system functionalities such as the Accessibility Service, the MediaProjection API, or the overlay system to turn mobile phones into a very difficult-to-detect tool for espionage and fraud. Often, the victim only notices some strange flickering on the screen, increased battery or data consumption, and little else. To counter this, Google is developing advanced real-time detection functions that seek to mitigate these techniques.
Within this scenario, three names stand out that are repeated in the most recent technical reports: FvncBot, focused on banking; SeedSnatcher, specializing in stealing seed phrases and wallet keys; and ClayRat, a modular spyware with the aim of total device controlTheir approaches are different, but they share the same idea: to stay in the terminal as long as possible without raising suspicion.
FvncBot: banking trojan with VNC-type remote control
FvncBot is a Remote access trojan (RAT) and banking malware for Android Developed from scratch, without recycling code from other popular Trojans like ERMAC, what makes it especially dangerous is that it combines infostealer, screen overlay, and VNC-based remote control (HVNC) capabilities to execute real-time financial fraud, in line with other similar malware. recent banking trojan campaigns.
Their best-known campaign is aimed at mBank mobile banking customers in PolandTo deceive them, it masquerades as a legitimate security application from the bank itself. This fraudulent app acts as a dropper and is protected by an obfuscation and encryption service called apk0day (offered by Golden Crypt), which complicates static analysis and detection by security solutions.
When the user opens the fake application, they encounter a message inviting them to install a “Google Play component” that promises more stability or securityThat component is none other than the FvncBot payload, which is installed using a session-based mechanism designed to circumvent the accessibility restrictions introduced with Android 13.
Once deployed, the malware prompts the user to activate the accessibility servicesIf the victim agrees, FvncBot gains a kind of “superpower”: it can read everything on the screen, know which apps are opened, simulate taps and swipes, cover other applications with fake screens, and record what is typed in sensitive forms, such as bank logins. Abuse of the Accessibility Service It is a constant in modern campaigns.
During the execution, the Logging and telemetry events are sent to a remote server associated with the domain naleymilva.it.comThe analyzed samples showed references such as the build identifier call_pl (which points to Poland as the target country) and a version 1.0-P, which fits with malware that is still in an early stage but rapidly evolving.
After registering the device, FvncBot communicates with its command and control infrastructure through HTTP and Firebase Cloud Messaging (FCM)In this way, operators can send commands in real time, activate or deactivate modules, and adapt the Trojan's behavior according to the victim or the ongoing campaign.
Its documented functions include highly advanced remote control and espionage capabilities, such as Initiate and stop WebSocket connections to remotely manage the device, exfiltrate accessibility events, list installed apps, and send detailed terminal configuration data to the server..
Furthermore, the Trojan is prepared to show full-screen overlays that mimic banking interfaces or other servicesThe goal is to capture credentials, cards, or one-time codes. Once stolen, the device can remove the overlay almost imperceptibly to the user, except perhaps for a slight flicker.
One of the most striking features is the intensive use of the MediaProjection API to broadcast in real time what is happening on the screenCombined with HVNC remote control, attackers can operate the bank's app almost as if they had the physical phone, even in applications that block screenshots using the FLAG_SECURE option. This technique has already been seen in other cases. cases of bank data theft.
To bypass that protection, FvncBot incorporates a “Text mode” that inspects the design and interface elements even if a traditional visual capture cannot be madeThus, even if the banking app prevents screenshots, malware can read the fields and buttons thanks to the Accessibility Service.
A definitive distribution vector has not yet been published, but based on parallels with other Android banking trojans, it is very likely that it will use... smishing campaigns (phishing SMS messages), instant messaging messages with links to APKs and third-party stores with fake banking apps or manipulated security toolsAlthough the current configuration is in Polish, adapting texts, logos, and templates for other countries and banks is relatively trivial.
SeedSnatcher: cryptocurrency seed phrase and private key hunter
While FvncBot focuses on traditional banking, SeedSnatcher is designed specifically for steal seed phrases, private keys, and sensitive data from cryptocurrency walletsIt is, in essence, a mobile infostealer highly focused on the crypto ecosystem and everything surrounding it.
This malware is primarily distributed through Telegram and social networks, under names like “Coin” and variants related to investment or walletsThe operators create channels and groups that simulate trading communities, NFT projects, or portfolio management tools, from which they share links to supposedly legitimate APKs; this distribution pattern is similar to that detected in other alerts such as fake app campaigns and Telegram channels.
A key feature is that the malicious app, upon installation, Try to go unnoticed by requesting few entry permits (for example, access to SMS or basic functions), just enough so as not to trigger alarms for the user or some security solutions based on excessive permission patterns from the first boot.
Quietly, SeedSnatcher deploys a remarkable technical arsenal in the background. Take advantage of dynamic class loading, covert content injection into WebView components, and integer-based command instructionsThis makes code analysis and detection using static signatures much more difficult.
When it detects that the victim is using wallet or exchange apps, the malware displays highly credible phishing overlays that mimic the appearance of legitimate interfaces from wallets, recovery screens, or verification processes. The user believes they are restoring the wallet or validating their identity, but in reality, they are typing their seed phrase into a form controlled by the attackers.
In addition to seed phrases, SeedSnatcher silently intercepts incoming SMS messages to capture two-factor authentication (2FA) codesThis facilitates the hijacking of accounts on exchanges and other services that still use SMS as a second security factor. This type of message theft is reminiscent of techniques observed in Trojans that attack communications and accounts. in messaging and SMS.
Malware also takes advantage of the opportunity to exfiltrate additional information from the device: contacts, call history, files, metadata, and other information that can be resold or used for further fraud.All of this is sent to their command and control server using obfuscated communication mechanisms.
The investigations attributed to CYFIRMA suggest that the operators of SeedSnatcher would be actors based in China or who speak Chinese, as a result of instructions found in that language both in control panels and in messages shared via Telegram related to the malware.
Regarding its escalation of privileges, SeedSnatcher follows a phased strategy: It starts with minimal permissions and, once it has gained some trust, requests access to the file manager, overlays, contacts, call logs, and other sensitive resources.This gradual approach reduces the likelihood of the user becoming suspicious upon seeing a flood of requests from the first use.
The mix of realistic overlays, SMS 2FA theft, clipboard monitoring, and silent data exfiltration This makes SeedSnatcher a critical threat to anyone managing cryptocurrencies from their mobile device, especially if they use non-custodial wallets based on seed phrases that, once leaked, leave funds completely exposed.
ClayRat: modular spyware with almost absolute control of the device
ClayRat represents the more oriented face long-range espionage and persistent device controlThis is a modular spyware for Android that has expanded its functions version after version, becoming a very complete platform for monitoring victims and using their phones as distribution nodes.
Recent research from Zimperium and other security labs shows that ClayRat relies on massive phishing and impersonation campaigns targeting popular apps like WhatsApp, TikTok, YouTube, Google Photos, or taxi and parking servicesThe attackers create pages that perfectly mimic the Google Play Store or the official websites of these applications, including fake reviews, inflated download counters, and automatically generated positive comments.
When the victim downloads the supposed app, they actually get a lightweight dropper containing encrypted spywareThis dropper can display screens mimicking Google Play updates or official installation processes, while in the background it deploys the malicious payload, bypassing some of Android's protection mechanisms. This use of droppers is reminiscent of techniques described in analyses of loaders and droppers.
ClayRat requests critical permissions such as access to SMS, contacts, camera, microphone and Accessibility ServiceOnce the user logs in, it can become the default messaging app, allowing them to read, modify, and send SMS messages without other apps or the user themselves clearly noticing.
Spyware can Review call history, capture notifications, take photos with the front camera, exfiltrate SMS messages, and make callsZimperium points out that, by also having access to the address book, the malware can launch social engineering campaigns directly from the infected phone, sending SMS messages with links to more victims who, trusting the known sender, lower their guard.
In recent versions, ClayRat has incorporated a set of commands received from its C2 server that range from listing installed apps (get_apps_list), collecting call logs (get_calls) or taking photographs (get_camera), up to functions to steal SMS on a large scale (get_sms_list, messms), send messages or make calls (send_sms, make_call) and obtain detailed information about the device or its network (get_device_info, get_proxy_data).
Communication with the attackers' infrastructure is carried out through AES-GCM encryption and use of WebSocket tunnels to camouflage HTTP/HTTPS trafficFurthermore, the data is sent in chunks to make it harder to detect by network monitoring systems.
One of the most worrying capabilities is the Automatic device unlocking, whether you use a PIN, pattern, or passwordBy leveraging the Accessibility Service and gesture automation, ClayRat can unlock the screen when needed, record what happens, manipulate apps, and then leave the phone seemingly inactive again, without the user having to enter their credentials each time.
The malware also deploys overlays that simulate system update screens, black screens, or maintenance windowsThese techniques are used to conceal malicious activity while attackers interact with the device. During this time, the user tends not to touch anything, convinced they are in the middle of a legitimate update.
Zimperium has identified at least 25 phishing domains that impersonate services such as a supposed “YouTube Pro” with background playback and 4K HDRAlong with fake taxi and parking apps, especially in regions like Russia. In total, hundreds of malware samples and dozens of different droppers associated with this campaign have been cataloged, making it one of the most active globally.
The combination of accessibility abuse, Default SMS permissions, screen recording, fake notifications, and persistent overlays This makes the current version of ClayRat much harder to remove than previous versions, where the user still had the option to uninstall the suspicious app or turn off the device when they detected something unusual.
Common tactics: accessibility, overlays, and advanced evasion
Although FvncBot, SeedSnatcher, and ClayRat have different objectives, they share a set of Techniques and tactics that are becoming standard in modern Android malwareUnderstanding them is key to knowing why these attacks are working so well.
The central pillar is the systematic abuse of the Android Accessibility ServiceOriginally designed to assist people with disabilities, this service reads screen content, detects interface changes, and automates actions like taps and scrolls. When used correctly, it improves usability; when misused, it gives attackers almost complete visibility into the user's actions.
The second common element is the intensive use of overlays that are placed on top of other appsThanks to these vulnerabilities, malware can display fake login forms, update screens, or system notifications while the real application runs underneath. The victim enters their credentials believing they are in their banking app, wallet, or favorite service, when in reality they are typing into an interface controlled by the attacker.
In addition to this, techniques of Advanced evasion techniques: code obfuscation using services like apk0day, dynamic loading of components from the C2 server, traffic encryption, and use of compact command instructions which make the malware's behavior less obvious in a superficial analysis.
In terms of communication, these Trojans rely on Firebase Cloud Messaging, WebSocket connections, and encrypted HTTP/HTTPS channels which blend easily with the device's normal traffic. This makes it very difficult to distinguish, at the network level, which requests are legitimate and which are part of data exfiltration or the receiving of commands.
Finally, the human element: all these campaigns are based on Highly sophisticated social engineering, with apps that impersonate Google Play components, security tools, "Pro" versions of popular platforms, or everyday service apps like parking and taxis.The goal is the same: to get the user to manually install the APK and click "Accept" on permissions that, upon closer inspection, would seem suspicious.
How to protect your Android device from FvncBot, SeedSnatcher, and ClayRat
There is no perfect protection, but applying a few Basic good practices drastically reduce the chances of ending up with a compromised mobile phone by these malware families or by other similar ones that may appear.
The first rule, however obvious it may seem, remains fundamental: Only install apps from Google Play or official provider websitesDownloading APKs from forums, Telegram channels, SMS links, or pages that promise free versions of paid apps is, nowadays, one of the main entry points for mobile malware.
It is also crucial keep both the operating system and applications always up to dateSecurity patches correct vulnerabilities that many Trojans exploit, and which could be avoided simply by enabling automatic updates or checking regularly for new versions; in fact, Google publishes alerts about critical vulnerabilities which should be taken into account.
Another key point is permissions management. Before readily accepting, it's worth asking yourself if It makes sense for a specific app to request access to SMS, accessibility, contacts, call logs, or device administration.An app for checking the weather or playing videos shouldn't need those privileges, and if it does, the wise thing to do is cancel the installation.
Regarding authentication, it helps a lot to use strong and unique passwords for each service, plus enable two-factor authentication (2FA) whenever it's available. Even if some malware tries to intercept codes sent via SMS, you'll still be putting an extra barrier in the way of attackers and making it harder for them to steal accounts on a massive scale.
Whenever possible, it's worth replacing SMS with More robust 2FA methods, such as authentication apps or physical security keysThese mechanisms are less vulnerable to infostealers like SeedSnatcher, which rely precisely on the silent reading of text messages.
For heavy or higher-risk users, it makes sense to supplement these guidelines with specific mobile security solutions They are capable of detecting anomalous behavior, accessibility abuses, suspicious connections, or obfuscated APKs. They're not a magic bullet, but they add an extra layer of defense that, in many cases, can make all the difference; see how they work. Google Play Protect as the first line of defense.
In corporate environments, organizations should implement Mobile device management (MDM) policies and clear BYOD strategiesLimiting the installation of unauthorized apps, separating personal and corporate profiles, requiring full device encryption, and monitoring indicators of compromise are basic steps to prevent a mobile phone used as a work tool from becoming a gateway to the internal network.
Beyond the tools, training is critical: Teach employees and users to identify fake websites, dubious download links, suspicious permission screens, and SMS or messaging phishing techniques It significantly reduces the effectiveness of mobile malware campaigns.
The emergence and rapid evolution of FvncBot, SeedSnatcher, and ClayRat clearly show that the focus of cybercrime has shifted to mobile.where much of our financial and personal life is now concentrated. Recognizing that our phones are a priority target, reviewing what we install, what permissions we grant, and how we manage bank accounts and crypto from them is now an essential part of daily security, both for individuals and businesses. Share this information and help other users be aware of Android Malware.