Android Users Hit by FvncBot Malware Capturing Keystrokes and Dropping Payloads

Dubbed FvncBot, this malicious tool was first observed by Intel 471 on November 25, 2025.

It distinguishes itself from other banking trojans by using entirely original code rather than borrowing from leaked sources such as Ermac or Hook.

Targeting Banking Users

The malware initially appeared in Poland, disguised as a legitimate security application for mBank, one of the country’s most popular financial institutions.

The app, named “Klucz bezpieczeństwa mBank” (Security key mBank), tricks users into believing they are installing a necessary security update.

When a victim launches the fake app, it acts as a “loader.” It prompts the user to install a “Play component” to ensure system stability.

Once the user taps the green “Install” button, the actual FvncBot payload is decrypted and deployed on the device.

How It Works

According to Intel471, FvncBot relies heavily on abusing Android Accessibility Services a feature designed to help users with disabilities but frequently exploited by cybercriminals.

By gaining these permissions, the malware can:

• Steal Keystrokes: The bot silently records everything the user types, including sensitive banking passwords and One-Time Passwords (OTPs). It either stores these logs in a buffer or sends them to the attacker instantly.
• Perform Web Injects: The malware can detect when a victim opens a banking app and immediately overlay a fake phishing window on top of it. This tricked users into typing their credentials directly into a form controlled by the hackers.

What makes FvncBot particularly dangerous is its advanced ability to monitor and control devices remotely.

• HVNC (Hidden Virtual Network Computing): The malware features a “text mode” that allows attackers to read the screen even if banking apps block screenshots (using the FLAG_SECURE setting). It reconstructs the screen layout data to show attackers exactly what the victim sees.
• Live Streaming: Unlike older malware that sends choppy screenshots, FvncBot uses H.264 video compression to stream the victim’s screen in near real-time.
• Remote Control: Using a WebSocket connection, attackers can remotely swipe, scroll, and click on the infected device. They can even lock the screen or black it out to hide their activities while they commit fraud in the background.

The specific distribution method is currently unknown, but researchers suspect it spreads through phishing sites or messaging apps like WhatsApp.

Android users are strongly advised to avoid downloading files from third-party websites and only install banking applications from the official Google Play Store.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Android Users Hit by FvncBot Malware Capturing Keystrokes and Dropping Payloads appeared first on Cyber Security News.