{"id":9008,"date":"2025-12-07T10:03:31","date_gmt":"2025-12-07T10:03:31","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/12\/07\/new-fvncbot-android-banking-attacking-users-to-log-keystrokes-and-inject-malicious-payloads\/"},"modified":"2025-12-07T10:03:31","modified_gmt":"2025-12-07T10:03:31","slug":"new-fvncbot-android-banking-attacking-users-to-log-keystrokes-and-inject-malicious-payloads","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/12\/07\/new-fvncbot-android-banking-attacking-users-to-log-keystrokes-and-inject-malicious-payloads\/","title":{"rendered":"New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads"},"content":{"rendered":"<p>    New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p><span style=\"box-sizing: border-box; margin: 0px; padding: 0px;\">A dangerous new Android banking malware named FvncBot w<\/span>as first observed on November 25, 2025. This\u00a0malicious tool\u00a0is designed to steal sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps.<\/p>\n<p>The <a href=\"https:\/\/cybersecuritynews.com\/hackers-using-castlerat-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">malware<\/a> initially spreads through a fake application disguised as a security tool for\u00a0mBank, a popular Polish bank.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/lh3.googleusercontent.com\/-iNxbIBt9y54\/aTPMScx7JvI\/AAAAAAAACIU\/wqGsHLB_6FYzQSvbC4VW65nmhaS4Gqb_gCK4BGAsYHg\/Screenshot%252B2025-12-06%252B115145%252B%2525281%252529.webp?ssl=1\" alt=\"the accessibility service of the payload application\"><figcaption class=\"wp-element-caption\">The accessibility service of the payload application<\/figcaption><\/figure>\n<\/div>\n<p>The app, named \u201cKlucz bezpiecze\u0144stwa mBank\u201d (Security Key mBank), acts as a \u201cloader\u201d. Once a user installs and opens this fake app, it secretly downloads and installs the primary FvncBot payload.<\/p>\n<p>To hide its activity, the malware uses a known obfuscation service called\u00a0apk0day, making it harder for security systems to detect.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEh4FImNbed5bU7GFlhGS89py9Fxew_k-Zn-CA1z5px6JY09WZ5c4M9AnOR_6Fpx1Q5YGehzxHttXLXnkHi3c9YvtrNTB-OH5ZR9kgTE6ReXOs8YpTzc5O-uCBmmkJUSBCZ8h-eJelUrZTThBUW_9ZeVmysR45IiT8xGq8SD319YsKByESyX9Lj30mBrKJ8\/s1600\/Screenshot%25202025-12-06%2520115204%2520%25281%2529.webp?ssl=1\" alt=\"bot debug messages\"><figcaption class=\"wp-element-caption\"><em>Bot debug messages<\/em><\/figcaption><\/figure>\n<p>Researchers say FvncBot is different from other banking malware. Instead of reusing code from older <a href=\"https:\/\/cybersecuritynews.com\/scaling-soc-team-expertise-with-ai-insights\/\" target=\"_blank\" rel=\"noreferrer noopener\">threats<\/a> like Ermac or Hook, its code looks completely new.<\/p>\n<p>FvncBot is highly advanced and includes several powerful features to defraud victims:<\/p>\n<figure class=\"wp-block-table is-style-stripes\">\n<table class=\"has-fixed-layout\">\n<thead>\n<tr>\n<td><strong>Feature<\/strong><\/td>\n<td><strong>Description<\/strong><\/td>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Keylogging<\/td>\n<td>Abuses Android Accessibility Services to capture every <a href=\"https:\/\/cybersecuritynews.com\/hackers-weaponized-linux-webcams\/\" target=\"_blank\" rel=\"noreferrer noopener\">keystroke<\/a>, including passwords, PINs, and OTPs. Logs up to 1,000 events before exfiltrating via HTTP or WebSocket.<\/td>\n<\/tr>\n<tr>\n<td>Web-Inject Attacks<\/td>\n<td>Displays fake overlay windows on legitimate banking apps to trick users into entering credentials. Phishing pages received from command server.<\/td>\n<\/tr>\n<tr>\n<td>Screen Streaming<\/td>\n<td>Streams device screen in real-time using H.264 video compression for efficient bandwidth usage and continuous monitoring.<\/td>\n<\/tr>\n<tr>\n<td>\n<a href=\"https:\/\/cybersecuritynews.com\/purehvnc-rat-developers\/\" target=\"_blank\" rel=\"noreferrer noopener\">HVNC<\/a> (Hidden VNC)<\/td>\n<td>Enables remote device control by creating JSON UI element representations. Allows attackers to navigate, swipe, click, and enter data.<\/td>\n<\/tr>\n<tr>\n<td>Remote Command Execution<\/td>\n<td>Uses WebSocket connection and Firebase Cloud Messaging (FCM) for near-real-time bidirectional communication with command servers.<\/td>\n<\/tr>\n<tr>\n<td>Device Manipulation<\/td>\n<td>Capable of locking device, muting audio, displaying black overlays, launching applications, and entering arbitrary data into text fields.<\/td>\n<\/tr>\n<tr>\n<td>Code Obfuscation<\/td>\n<td>Obfuscated using apk0day crypting service operated by GoldenCrypt actor to <a href=\"https:\/\/cybersecuritynews.com\/new-net-malware-hides-lokibot-malware\/\" target=\"_blank\" rel=\"noreferrer noopener\">evade detection<\/a> and security analysis.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>They can swipe, click, and even enter text to empty bank accounts while the phone appears locked or blacked out.<\/p>\n<p>The Intel471 <a href=\"https:\/\/www.intel471.com\/blog\/new-fvncbot-android-banking-trojan-targets-poland\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">discovery<\/a> of FvncBot underscores the importance of downloading apps only from official sources, such as the Google Play Store.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEhEUcKPSWVinwWlTICHpDb3Ty7dP0A6hbOlRUcKXAJoQDqf1XBpuXxDcT5ULjl89Lzx8vRLN4vHPtPTJ_E0hQ9LaMuXNI8YL5J5VcpqcQgUGNXR4mJUrdyMmgM6mcvkU7ABrDW8wqXqpt7gPmuUpQOYI149F-bIl4tiqp8QfK4MwFW2zVoBZNlox3Q3d48\/s1600\/Screenshot%25202025-12-06%2520115233%2520%25281%2529.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\"><em>Log data collected from an overlay<\/em><\/figcaption><\/figure>\n<p>Users should be cautious of \u201csecurity updates\u201d or banking apps found on third-party websites or sent via direct messages, as these are common traps used to deliver this type of malware.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/fvncbot-android-banking-attacking\/\">New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/fvncbot-android-banking-attacking\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads A dangerous new Android banking malware named FvncBot was first observed on November 25, 2025. This\u00a0malicious tool\u00a0is designed to steal sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps. The malware initially spreads through a [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[509,129,63,258],"tags":[130],"class_list":["post-9008","post","type-post","status-publish","format-standard","hentry","category-android","category-cyber-security","category-cyber-security-news","category-malware","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9008"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=9008"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/9008\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=9008"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=9008"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=9008"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}