Researchers have revealed details of two Android malware strains called SeedSnatcher and FvncBot. Upgraded version of ClayRat was also found in the wild.
About the malware
FvncBot works as a security app built by mBank and attacks mobile banking users in Poland. The malware is written from scratch and is different from other banking trojans such as ERMAC whose source codes have been leaked.
According to Intel 471, the malware “implemented multiple features including keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud.”
Like the Albiriox banking malware, this trojan is shielded by a service called apk0day that Golden Crypt offers.
Attack tactic
After the dropper app is launched, users are asked to download a Google Play component for security of the app. But in reality, it deploys the malware via session-based approach which other actors adopt to escape accessibility restrictions on Android devices version 13 and above.
According to Intel 471, “During the malware runtime, the log events were sent to the remote server at the naleymilva.it.com domain to track the current status of the bot.” After this, the malware asks victims for accessibility services permission, it then gets privileges and connects to an ex
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: