New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads

A dangerous new Android banking malware named FvncBot was first observed on November 25, 2025. This malicious tool is designed to steal sensitive financial information by logging keystrokes, recording screens, and injecting fake login pages into banking apps.

The malware initially spreads through a fake application disguised as a security tool for mBank, a popular Polish bank.

The app, named “Klucz bezpieczeństwa mBank” (Security Key mBank), acts as a “loader”. Once a user installs and opens this fake app, it secretly downloads and installs the primary FvncBot payload.

To hide its activity, the malware uses a known obfuscation service called apk0day, making it harder for security systems to detect.

Researchers say FvncBot is different from other banking malware. Instead of reusing code from older threats like Ermac or Hook, its code looks completely new.

FvncBot is highly advanced and includes several powerful features to defraud victims:

Feature	Description
Keylogging	Abuses Android Accessibility Services to capture every keystroke, including passwords, PINs, and OTPs. Logs up to 1,000 events before exfiltrating via HTTP or WebSocket.
Web-Inject Attacks	Displays fake overlay windows on legitimate banking apps to trick users into entering credentials. Phishing pages received from command server.
Screen Streaming	Streams device screen in real-time using H.264 video compression for efficient bandwidth usage and continuous monitoring.
HVNC (Hidden VNC)	Enables remote device control by creating JSON UI element representations. Allows attackers to navigate, swipe, click, and enter data.
Remote Command Execution	Uses WebSocket connection and Firebase Cloud Messaging (FCM) for near-real-time bidirectional communication with command servers.
Device Manipulation	Capable of locking device, muting audio, displaying black overlays, launching applications, and entering arbitrary data into text fields.
Code Obfuscation	Obfuscated using apk0day crypting service operated by GoldenCrypt actor to evade detection and security analysis.

They can swipe, click, and even enter text to empty bank accounts while the phone appears locked or blacked out.

The Intel471 discovery of FvncBot underscores the importance of downloading apps only from official sources, such as the Google Play Store.

Users should be cautious of “security updates” or banking apps found on third-party websites or sent via direct messages, as these are common traps used to deliver this type of malware.

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.

The post New FvncBot Android Banking Attacking Users to Log Keystrokes and Inject Malicious Payloads appeared first on Cyber Security News.