A newly discovered malware, FvncBot, is posing a significant threat to Android users, particularly targeting those involved with mobile banking in Poland. Identified on November 25, 2025, this malicious software impersonates a legitimate security application from mBank, one of Poland’s leading financial institutions.
Deceptive Tactics and Installation
The FvncBot malware deceives users by presenting itself as a credible banking tool, tricking them into installing the application. Once installed, it silently operates in the background, aiming to compromise financial accounts through advanced surveillance tactics.
The infection process involves a deceptive prompt urging users to install an additional “Play” component, claimed to be essential for maintaining system stability. This strategy is crucial to bypass Android’s security measures, allowing the malware to gain a persistent presence on the device.
Innovative and Invasive Capabilities
Intel 471’s research revealed that FvncBot is an entirely original creation, not derived from any known banking trojan codes. This suggests a new group of developers behind its development. The malware employs invasive methods to steal funds by logging keystrokes and capturing screen data.
One of its alarming features is the use of hidden virtual network computing, enabling attackers to remotely control the infected device. This capability allows cybercriminals to conduct fraudulent transactions without the victim’s knowledge.
Exploiting Accessibility Services
FvncBot’s most concerning tactic is its exploitation of Android’s accessibility services to maintain control over the device. After installation, it persistently requests elevated privileges, guiding users to grant these permissions in system settings. Once granted, the malware can read on-screen text and monitor user interactions.
With these permissions, FvncBot can extract data from any open application, including secure banking interfaces, and transmit this information to a remote server. The malware also uses WebSockets to establish a rapid connection, allowing operators to issue commands and manipulate the device in real-time.
To mitigate such threats, users are advised to download banking applications solely from official sources and avoid unverified websites. Staying informed about such cyber threats is crucial for maintaining device security.
