In partnership with

CYBER SYRUP
Delivering the sweetest insights on cybersecurity.

Learn AI in 5 minutes a day

This is the easiest way for a busy person wanting to learn AI in as little time as possible:

  1. Sign up for The Rundown AI newsletter

  2. They send you 5-minute email updates on the latest AI news and how to use it

  3. You learn how to become 2x more productive by leveraging AI

Sign up to start learning.

New Android Malware Surge: FvncBot, SeedSnatcher, and an Upgraded ClayRat Expand Mobile Threat Landscape

New research from Intel 471, CYFIRMA, and Zimperium reveals the emergence of three advanced Android malware families—FvncBot, SeedSnatcher, and an upgraded variant of ClayRat—designed to steal financial data, cryptocurrency assets, and full device control. These threats demonstrate a rapidly evolving mobile malware ecosystem, increasingly built around exploiting Android Accessibility Services and sophisticated overlay attacks.

Context

Android remains the largest mobile operating system globally, making it a prime target for financially motivated and state-linked threat actors. Banking trojans, wallet stealers, and spyware families continue to converge in capability, often incorporating remote access, credential harvesting, and screen streaming. The newly identified malware families expand this trend with custom-built codebases, advanced evasion, and powerful automation.

What Happened

Researchers identified:

  • FvncBot — A newly written banking trojan impersonating mBank security tools to target Polish users.

  • SeedSnatcher — A cryptocurrency-focused stealer distributed via Telegram.

  • ClayRat (Upgraded) — A more capable spyware variant abusing accessibility services to gain full device takeover.

Collectively, these malware families represent a significant escalation in Android-focused cybercrime, with actors adopting more modular, stealthy, and automated infection workflows.

Technical Breakdown

FvncBot

  • Fully custom malware, unrelated to leaked ERMAC codebases.

  • Delivered via a dropper app masquerading as a Google Play component.

  • Abuses Accessibility Services to achieve:

    • Keylogging

    • Web-inject attacks

    • Hidden VNC (HVNC) remote control

    • Screen streaming

    • Overlay attacks for credential theft

  • Communicates with C2 via Firebase Cloud Messaging (FCM).

  • Tracks victims through build identifiers pointing to Poland.

SeedSnatcher

  • Distributed as a Telegram “Coin” app.

  • Targets:

    • Cryptocurrency seed phrases

    • SMS-based 2FA codes

    • Contacts, device data, call logs, and stored files

  • Features:

    • Dynamic class loading

    • WebView injection

    • Integer-based C2 command structure

  • Indicators suggest Chinese-speaking operators.

ClayRat (Updated Version)

  • Now leverages Accessibility Services for:

    • Keystroke logging

    • Screen recording

    • Notification harvesting

    • Auto-unlocking device PIN/password

    • Persistent phishing overlays

  • Delivered through:

    • 25 phishing domains posing as YouTube

    • Fake “Pro” apps with 4K playback

    • Russian taxi and parking app impersonations

Impact Analysis

These malware families enable:

  • Full account takeover via stolen credentials, seeds, banking data, and 2FA codes.

  • Remote device control, including actions on behalf of victims.

  • Financial fraud across banking and crypto ecosystems.

  • Silent persistence, often without visible indicators to the user.

The combination of HVNC, overlays, FCM-based command delivery, and accessibility abuse gives attackers near-total visibility and control of infected devices.

Why It Matters

Android malware is rapidly maturing beyond simple credential theft.
The convergence of:

  • Remote control

  • Seed phrase theft

  • Screen streaming

  • Automated fraud

  • Accessibility abuse

  • Advanced obfuscation

…represents a fundamental shift in attacker capability. Mobile devices are no longer just endpoints—they are becoming full attack surfaces for financial, espionage, and identity theft campaigns.

Expert Commentary

Researchers emphasize that Accessibility Services—designed to help disabled users—are becoming the most abused Android feature for full compromise.
Malware families are increasingly:

  • Custom-built rather than cloned

  • Distributed through highly convincing phishing workflows

  • Expanded with modular plugin-like capabilities

  • Leveraging social engineering and technical bypasses together

As Zimperium notes, ClayRat's newest features mean victims may no longer be able to interrupt or remove infections without deeper system intervention.

Key Takeaways

  • Three emergent malware families showcase an aggressive evolution of Android cybercrime.

  • Accessibility Services remain the single highest-risk permission in the Android ecosystem.

  • FvncBot and SeedSnatcher highlight financial and crypto fraud as top motivators.

  • ClayRat demonstrates how attackers blend spyware and RAT capabilities into persistent mobile footholds.

  • Organizations should treat Android devices as full-fledged endpoints requiring security hardening.

Keep Reading

No posts found

© 2025 The Cyber Syrup..

Privacy policy

Terms of use

Powered by beehiiv