Android phones have become the center of our digital lives: banking, cryptocurrencies, work, social media… and, unfortunately, also the favorite target of cybercriminalsWhile many users still think that with install “an antivirus” It's all done now, the reality is that Android malware has taken a huge leap in sophistication and now competes head-to-head with traditional PC threats.
In recent months, several security laboratories have focused on three very specific families: FvncBot, SeedSnatcher and the improved version of ClayRatThese are not simple Trojans that only display annoying ads: we're talking about malware capable of remotely controlling your mobile phone, stealing banking credentials, emptying cryptocurrency wallets, recording keystrokes, or even unlocking the device automatically, all by abusing accessibility services and screen overlays that are very difficult to detect with the naked eye.
Cybersecurity experts have been observing for some time a accelerated evolution of Android malwarewith campaigns that not only seek to infect home users, but also employees of companies and profiles with access to sensitive information or relevant economic funds.
Behind these threats we find both groups with purely financial motivation as advanced actors (APTs) with possible state links, especially in the case of spyware like ClayRat, geared towards long-range espionage, data theft and tracking of specific victims.
The methods for compromising Android devices are largely based on the social engineering and in the distribution of malicious apps outside of Google PlayHowever, third-party stores, phishing domains that mimic popular services, and messaging channels like Telegram, where links to manipulated APKs are shared, are also exploited.
These new Trojans take advantage of legitimate system functionalities, especially the accessibility services, screen overlays, and the MediaProjection API (used to record or share the screen), turning them into espionage tools and financial fraud extremely effective.
In this context, three names are emerging strongly that are already frequently mentioned in technical reports: FvncBot, SeedSnatcher and ClayRatEach one operates with their own tactics, but they all share the same goal: to steal as much information as possible and maintain control of the device without raising suspicion.
An increasingly aggressive mobile threat landscape
Cybersecurity experts have been observing for some time a accelerated evolution of Android malwarewith campaigns that not only seek to infect home users, but also employees of companies and profiles with access to sensitive information or relevant economic funds.
Behind these threats we find both groups with purely financial motivation as advanced actors (APTs) with possible state links, especially in the case of spyware like ClayRat, geared towards long-range espionage, data theft and tracking of specific victims.
The methods for compromising Android devices are largely based on the social engineering and in the distribution of malicious apps Outside of Google Play, third-party stores, phishing domains that mimic popular services, and messaging channels like Telegram, where links to manipulated APKs are shared, are also exploited.
These new Trojans take advantage of legitimate system functionalities, especially the accessibility services, screen overlays, and the MediaProjection API (used to record or share the screen), turning them into extremely effective tools for espionage and financial fraud.
In this context, three names are emerging strongly that are already frequently mentioned in technical reports: FvncBot, SeedSnatcher and ClayRatEach one operates with their own tactics, but they all share the same goal: to steal as much information as possible and maintain control of the device without raising suspicion.
FvncBot: banking trojan with VNC-type remote control
Their main trick is to pretend to be a security application associated with mBankA well-known Polish financial institution. The user believes they are installing a legitimate app that enhances the security of their mobile banking, when in reality they are introducing a Trojan capable of recording everything they do and remotely taking control of their mobile device.
The infection process begins through a "dropper" app that acts as a loader. This app is protected by an obfuscation and encryption service known as apk0day, offered by Golden CryptThis makes it difficult to analyze the code and identify it using security solutions. When opened, the application displays a message prompting the user to install a supposed "Google Play component" to improve system stability or protection.
In reality, that component is itself malicious payload from FvncBotThis malware takes advantage of a session-based approach to circumvent accessibility restrictions introduced with Android 13. Thus, even on recent versions of the operating system, the malware manages to activate the permissions it needs to see and control virtually everything on the device.
Once running, FvncBot prompts the user to grant accessibility services permissionsIf the victim agrees, the Trojan gains a kind of "superpowers" within the system: it can read what is displayed on the screen, detect which applications are opened, simulate keystrokes, display windows on top of other apps, or record keystrokes in sensitive forms, such as the bank login.
During its activity, the malware sends events and logs to a remote server associated with the domain naleymilva.it.comThis was used by operators to monitor the status of each infected device. The analyzed samples showed a build identifier “call_pl”, which explicitly points to Poland as the target country, and a version labeled “1.0-P”, suggesting that FvncBot is still in the early stages of development and may continue to evolve.
After device registration, FvncBot communicates with its command and control infrastructure using HTTP and Firebase Cloud Messaging (FCM)Through these channels, it receives real-time instructions and can modify its behavior according to the attackers' orders, activating or deactivating specific modules depending on the type of victim or the ongoing campaign.
Among the functions documented in this Trojan, several stand out as particularly critical, such as the ability to Start or stop WebSocket connections that allow remote control of the device: attackers can swipe, tap, scroll, open apps or enter data almost as if they had the phone in their hand.
In addition, FvncBot exfiltrates accessibility events, lists of installed apps, and device information (model, version, configuration, etc.), so that operators have a complete list of targets, know which banking or cryptocurrency applications are present, and can deploy malicious overlays only on the apps that really interest them.
The Trojan is ready to show full-screen fake screensBy mimicking banking interfaces or other services, it captures credentials, card data, or one-time codes. It can also hide these overlays when no longer needed, so the victim barely notices any unusual behavior, beyond a possible screen flicker that they usually attribute to a simple visual bug.
Another striking aspect of FvncBot is its use of the MediaProjection API for real-time screen streamingThis, combined with remote control via HVNC (Hidden Virtual Network Computing), allows attackers to see exactly what the victim sees and operate the bank's app with complete freedom, even in applications that attempt to block screenshots using the FLAG_SECURE flag.
To overcome this limitation, FvncBot incorporates a “text mode” that analyzes the interface content even when traditional captures cannot be madeThus, even if a banking or payment app prevents screenshots for security reasons, the Trojan manages to read the elements on the screen thanks to accessibility services.
There is no public confirmation about it at this time. main distribution vectorHowever, based on the pattern of other similar banking trojans, it is very likely that it will resort to smishing campaigns (phishing SMS), links sent via messaging, and third-party app stores where fake versions of well-known apps or supposed security tools are uploaded.
Although current samples focus on Polish users and a specific entity, analysts estimate that It's just a matter of time before FvncBot adapts to other countries and banks.Changing the language, logos, and overlay templates is relatively easy.
SeedSnatcher: seed phrase and 2FA code hunter
If FvncBot's main target is traditional bank accounts, SeedSnatcher is fully targeting the crypto ecosystemThis Android malware family is specifically designed to steal wallet seed phrases, private keys, and, in general, any information that allows it to take control of cryptocurrency wallets.
SeedSnatcher is primarily distributed through Telegram and other social channelsusing the name “Coin” to disguise themselves as an investment app, cryptocurrency management tool, or exclusive promotion. Attackers often distribute links to supposedly legitimate APKs, leveraging public or private groups related to trading, NFTs or blockchain news.
Once installed, the malicious application doesn't exhibit any conspicuous behavior at first. In fact, one of its key characteristics is that It requires few entry permits., usually access to SMS or basic functions, so as not to arouse suspicion or trigger alerts in security solutions that focus on excessive permission requests.
However, in the background, SeedSnatcher begins to deploy its arsenal. Taking advantage of advanced techniques such as dynamic class loading and stealthy content injection into WebViewThe app can update functionalities from the command and control server, be modified on the fly, or activate modules only when the victim opens certain cryptocurrency-related applications.
One of the most dangerous functions is the ability to show very convincing phishing overlays These scams mimic the appearance of well-known wallet apps, exchanges, or account recovery screens. The user believes they are entering their seed phrase to restore the wallet or verify their identity, but in reality, they are handing over control of all their funds to the attacker.
In addition to seed phrases, SeedSnatcher intercepts incoming SMS messages to capture two-step authentication (2FA) codesThis opens the door to hijacking accounts on exchange services or trading platforms that rely on SMS as a second factor.
Malware is not limited to the crypto world: it is also prepared for exfiltrate data from the deviceincluding contacts, call logs, files stored on the mobile phone and other information potentially useful for future fraud campaigns or for selling on black markets.
Investigations attributed to CYFIRMA suggest that the operators of SeedSnatcher could be groups based in China or Chinese-speaking, based on instructions in that language found in control panels and distribution channels associated with the malware.
SeedSnatcher's privilege escalation process follows a very calculated pattern: it starts with minimal permissions, and later requests more. access to file manager, overlays, contacts, call logs and other resourcesThis staggered behavior helps it circumvent heuristic-based security solutions that are activated by massive permission requests from the first boot.
The combination of visual deception, SMS theft, clipboard monitoring, and silent data exfiltration makes SeedSnatcher a This is a critical threat to any user who handles cryptocurrencies from their mobile device.especially if you use non-custodial wallets based on seed phrases.
ClayRat: modular spyware with almost total device control
The most recent iteration detected stands out for further abusing the accessibility services and default SMS permissionsThanks to this, ClayRat can record keystrokes, read notifications received on the device, monitor sensitive applications, and record both the screen and audio, turning the mobile phone into a true surveillance tool.
This malware is designed to display overlays that simulate system updates, black screens, or maintenance windowsThese are used to conceal malicious actions while attackers manipulate the device in the background. When users see a "system update" screen or similar, they tend to wait without touching anything, giving cybercriminals all the time in the world to work.
Another particularly worrying feature is ClayRat's ability to automatically unlock the deviceWhether you use a PIN, password, or pattern, this, combined with screen recording and keystroke logging, provides complete control of the mobile device without the user having to re-enter their credentials repeatedly.
In recent campaigns, ClayRat has spread through at least 25 Phishing domains that mimic legitimate services like YouTubepromoting a supposed "Pro" version with background playback and 4K HDR support. Users download the app believing it's a premium version and unknowingly install the spyware.
Have also been found App droppers that pose as taxi and parking apps in regions like Russia. These fake apps act as installation vehicles for ClayRat, similar to the model used by FvncBot, where a seemingly harmless app downloads or activates the actual malicious component.
Malware can generate fake and interactive notifications that appear to come from the system or legitimate applications, in order to collect responses from the user (for example, codes, operation confirmations, or additional permissions) without the user being aware that they are interacting with an interface controlled by the attacker.
Compared to previous versions, the new variant of ClayRat is much harder to remove: its persistence mechanisms and its ability to camouflage your activity through overlays and screen lock They make it so the user has fewer opportunities to uninstall the application or turn off the device in time.
These characteristics, combined with the suspicion that it may be linked to APT groups with possible state sponsorshipThis makes ClayRat one of the most dangerous mobile spyware tools today, especially in corporate environments with BYOD (Bring Your Own Device) policies, where employees use their personal mobile phones to access internal systems.
Common techniques: accessibility, overlays, and advanced evasion
Although FvncBot, SeedSnatcher, and ClayRat have different objectives (traditional banking, cryptocurrencies, or advanced espionage), they share a set of key tactics and techniques which explain why they are achieving so much success in real campaigns.
First, the abuse of Android accessibility services It has become the cornerstone of modern malware. This functionality, originally designed to help people with disabilities interact with the device, allows for reading the interface content, detecting screen changes, and automating actions, which is extremely useful… for both usability and cybercrime.
Another shared element is the intensive use of overlays to impersonate legitimate applicationsBy placing a fake screen over a real app—whether it's a bank, a crypto wallet, or a popular service—attackers can capture credentials, personal data, and any information entered by the user, without needing to directly compromise the target application.
Furthermore, these Trojans integrate advanced evasion techniques to complicate its analysis and detection; learn to scan malware with Google Play Protect: code obfuscation, external encryption services like apk0day, dynamic loading of classes that are downloaded from the command and control server only when needed, and even integer-based command instructions to make the traffic appear less obvious.
Communication with the attackers' servers has also become more sophisticated. The use of Firebase Cloud Messaging to receive ordersThe establishment of WebSocket connections for real-time control and the discreet exfiltration of data via HTTP or HTTPS cause malicious traffic to blend in with legitimate traffic, making it difficult to identify on corporate or home networks.
All of this is combined with a very polished work of social engineeringThese apps masquerade as Google Play components, security applications, official banking tools, "Pro" versions of popular platforms like YouTube, or in-demand services such as taxis and parking. The goal is to lower the user's guard and convince them to grant critical permissions without thinking twice.
How to protect your Android device from FvncBot, SeedSnatcher, and ClayRat
No measure is foolproof, but applying basic good practices drastically reduces the likelihood of falling for campaigns like those of FvncBot, SeedSnatcher or ClayRatMany attacks rely on user negligence and poorly configured devices.
The first rule is obvious but remains the most effective: Install applications only from trusted sources, such as Google Play or the official websites of the providers, and review lists of dangerous appsDownloading APKs from links on forums, Telegram channels, or pages that promise free versions of paid apps is, nowadays, one of the main entry points for mobile malware.
It is also essential Keep your operating system and applications always up to dateGoogle and manufacturers frequently release patches that fix security vulnerabilities, and many Trojans rely on known flaws that could be avoided simply by installing the latest available versions.
Password and authentication management is another critical point. Use strong keys, unique for each service, and enable two-step authentication (2FA) In banking, email, social networks and crypto platforms it adds an extra layer of protection, although, as we have seen, some malware also tries to steal 2FA codes via SMS.
Whenever possible, it is advisable to opt for More robust 2FA methods, such as authentication apps or physical security keys, instead of traditional SMS, which is easier to intercept by malware like SeedSnatcher.
Another key tip is to calmly review the permissions requested by applicationsIf an app that supposedly lets you watch videos, check the weather, or manage parking requests full access to SMS messages, accessibility services, contacts, or device administration, be suspicious. Many attacks rely on users tapping "Accept" without reading the terms.
In the corporate environment, organizations should implement mobile device management (MDM) policiesLimit the installation of unauthorized apps and conduct regular audits to detect suspicious behavior. Additionally, it is essential to train employees to recognize phishing attempts, whether via SMS, email, or instant messaging.
For advanced users, it may be helpful to combine the above measures with specific mobile security solutions that analyze app behavior, detect accessibility abuses, and continuously check device integrity. However, no technical tool can replace common sense when installing and using apps.
On a personal level, it is advisable to adopt certain habits: Be wary of unexpected links, and check the URLs of websites that request credentials.Avoid entering seed phrases or bank details on screens that appear after installing unknown apps and, if in doubt, contact the entity or service directly through official channels.
The emergence of FvncBot, SeedSnatcher, and the revamped ClayRat demonstrates that The battlefront has moved to mobile. with the same or even greater intensity as on a desktop computer. The combination of accessibility abuse, sophisticated overlays, VNC-type remote control, and advanced evasion means that any oversight can result in money theft, wallet emptying, or complete exposure of one's digital life. Recognizing that the phone is a priority target and acting accordingly—being careful about what we install, what permissions we grant, and how we manage our accounts—has become a key element of daily security.
