Cybersecurity researchers have revealed details of two new Android malware families called FvncBot and SeedSnatcher, as another upgraded version of ClayRat was discovered in the wild.
The findings were obtained from Intel 471, CYFIRMA, and Zimperium, respectively.
FvncBot targets Polish mobile banking users under the guise of a security app developed by mBank. What’s notable about this malware is that it was written completely from scratch and is not influenced by other Android banking Trojans such as ERMAC, whose source code has been leaked.
According to Intel 471, the malware “implemented multiple features including keylogging, web injection attacks, screen streaming, and hidden virtual network computing (HVNC) by exploiting Android’s accessibility services to successfully commit financial fraud.”
Similar to the recently discovered Albiriox banking malware, this malware is protected by an encryption service known as apk0day provided by Golden Crypt. The malicious app acts as a loader by installing an embedded FvncBot payload.
As soon as the dropper app is launched, users are prompted to install Google Play components to ensure the app’s security and stability, but in reality, it leverages a session-based approach that other threat actors employ to bypass accessibility restrictions on Android devices running version 13 and above, leading to malware deployment.
“While the malware was running, log events were sent to a remote server in the naleymilva.it.com domain to track the current status of the bot,” Intel 471 said. “The operator included a build identifier call_pl indicating Poland as the target country, and the malware version was set to 1.0-P, suggesting it was in the early stages of development.
The malware then requests the victim to grant accessibility service permissions, operates with elevated privileges, and connects to an external server over HTTP to register the infected device so that it can receive commands on its behalf using the Firebase Cloud Messaging (FCM) service.
FvncBot process of enabling accessibility services
Some of the supported features are listed below.
Remotely control a device by starting/stopping a WebSocket connection and move around the device screen by swiping, clicking, or scrolling Extract logged accessibility events to the controller Extract a list of installed applications Extract device information and bot settings Receive settings to serve malicious overlays on targeted applications Show full-screen overlays to capture and extract sensitive data Hide overlays Check the status of accessibility services Accessibility Abuse services to record keystrokes Retrieve pending commands Abuse Android’s MediaProjection API to stream screen content from a controller
FvncBot also facilitates a so-called text mode for inspecting a device’s screen layout and content, even in scenarios where an app sets the FLAG_SECURE option to prevent taking screenshots.
Although it is currently unknown how FvncBot is distributed, Android banking Trojans are known to use SMS phishing and third-party app stores as propagation vectors.
“While Android’s accessibility services are intended to assist users with disabilities, it is also possible for an attacker to learn when a particular app is launched and override what is displayed on the screen,” Intel 471 said. “Although this particular sample is configured to target Polish-speaking users, it is quite possible that we will observe this theme morphing to target other regions or impersonate other Polish institutions.”
While FvncBot’s main focus is data theft, SeedSnatcher (distributed under the name Coin through Telegram) is designed to enable the theft of cryptocurrency wallet seed phrases. It also supports the ability to intercept incoming SMS messages to steal two-factor authentication (2FA) codes for account takeover, and the ability to display phishing overlays to capture device data, contacts, call logs, files, and sensitive data.
Based on the presence of Chinese-language instructions shared via Telegram and the thieves’ control panels, SeedSnatcher’s operators are assessed to be either based in China or Chinese-speaking.
“The malware utilizes advanced techniques such as dynamic class loading, stealth WebView content injection, and integer-based command-and-control instructions to evade detection,” CYFIRMA said. “It initially requests minimal runtime permissions, such as SMS access, but later escalates permissions to access file managers, overlays, contacts, call logs, etc.”
This development comes after Zimperium zLabs announced that it has discovered an improved version of ClayRat that has been updated to exploit default SMS permissions as well as exploit accessibility services, making it a more powerful threat that can record keystrokes and screens, provide various overlays such as system update screens to hide malicious activity, and create fake interactive notifications to steal victims’ responses.
ClayRat default SMS and accessibility permissions
In a nutshell, ClayRat’s enhanced capabilities facilitate the exploitation of accessibility services, automatic unlocking of device PINs/passwords/patterns, screen recording, notification collection, and entire device takeover with persistent overlays.
ClayRat is being spread through 25 fraudulent phishing domains that impersonate legitimate services such as YouTube and advertise a Pro version with background playback and 4K HDR support. The dropper app that distributes this malware has also been found to mimic Russian taxi and parking applications.
Researchers Vishnu Pratapagiri and Fernando Ortega said: “Taken together, these features make ClayRat a more dangerous spyware than previous versions, which could cause victims to uninstall applications or turn off their devices if they detected an infection.”
Source link
