A dangerous new Android banking malware named FvncBot was first observed on November 25, 2025. This malicious tool is designed to steal sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps.
The malware initially spreads through a fake application disguised as a security tool for mBank, a popular Polish bank.
The app, named “Klucz bezpieczeństwa mBank” (Security Key mBank), acts as a “loader”. Once a user installs and opens this fake app, it secretly downloads and installs the primary FvncBot payload.
To hide its activity, the malware uses a known obfuscation service called apk0day, making it harder for security systems to detect.
Researchers say FvncBot is different from other banking malware. Instead of reusing code from older threats like Ermac or Hook, its code looks completely new.
FvncBot is highly advanced and includes several powerful features to defraud victims:
| Feature | Description |
| Keylogging | Abuses Android Accessibility Services to capture every keystroke, including passwords, PINs, and OTPs. Logs up to 1,000 events before exfiltrating via HTTP or WebSocket. |
| Web-Inject Attacks | Displays fake overlay windows on legitimate banking apps to trick users into entering credentials. Phishing pages received from command server. |
| Screen Streaming | Streams device screen in real-time using H.264 video compression for efficient bandwidth usage and continuous monitoring. |
| HVNC (Hidden VNC) | Enables remote device control by creating JSON UI element representations. Allows attackers to navigate, swipe, click, and enter data. |
| Remote Command Execution | Uses WebSocket connection and Firebase Cloud Messaging (FCM) for near-real-time bidirectional communication with command servers. |
| Device Manipulation | Capable of locking device, muting audio, displaying black overlays, launching applications, and entering arbitrary data into text fields. |
| Code Obfuscation | Obfuscated using apk0day crypting service operated by GoldenCrypt actor to evade detection and security analysis. |
They can swipe, click, and even enter text to empty bank accounts while the phone appears locked or blacked out.
The Intel471 discovery of FvncBot underscores the importance of downloading apps only from official sources, such as the Google Play Store.
Users should be cautious of “security updates” or banking apps found on third-party websites or sent via direct messages, as these are common traps used to deliver this type of malware.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
