The disclosed Android malware families—FvncBot, SeedSnatcher, and ClayRat—represent a significant evolution in mobile banking and cryptocurrency theft threats. FvncBot is a newly developed banking trojan targeting Polish users by impersonating a legitimate security app from mBank. It is built from scratch, not derived from leaked source codes of previous trojans, and incorporates multiple advanced features such as keylogging via Android accessibility services, web-inject attacks, screen streaming, and hidden virtual network computing (HVNC). The malware uses a dropper app that tricks users into installing a fake Google Play component, leveraging session-based techniques to bypass accessibility restrictions on Android 13+. Once installed, it requests accessibility permissions to gain elevated privileges, enabling remote control of the device through WebSocket connections, exfiltration of keystrokes, device info, installed apps, and the deployment of malicious overlays to capture sensitive data. Communication with the command-and-control server is maintained via HTTP and Firebase Cloud Messaging. SeedSnatcher, distributed via Telegram under the name Coin, targets cryptocurrency wallets by stealing seed phrases and intercepting SMS 2FA codes. It uses advanced evasion techniques including dynamic class loading and stealthy WebView injections. Initially requesting minimal permissions, it escalates privileges to access files, contacts, call logs, and display phishing overlays. Its operator profile suggests Chinese or Chinese-speaking origins. ClayRat’s upgraded version now abuses accessibility services and default SMS permissions to enable full device takeover. It can record keystrokes and screen content, display overlays mimicking system updates, harvest notifications, and automate unlocking of device PINs or patterns. ClayRat is distributed through phishing domains impersonating popular services like YouTube and Russian taxi apps. These malware families collectively exploit Android’s accessibility services, a feature intended for users with disabilities, to gain extensive control over devices, evade detection, and steal financial and personal data. The use of crypting services and session-based deployment methods further complicates detection and mitigation efforts.

For European organizations, especially financial institutions and cryptocurrency service providers, these malware families pose a direct threat to mobile banking security and digital asset safety. The targeting of Polish users by FvncBot indicates a focused campaign that could lead to significant financial losses and erosion of trust in mobile banking platforms. SeedSnatcher’s ability to steal seed phrases and 2FA codes threatens the security of cryptocurrency holdings, potentially impacting fintech companies and crypto exchanges operating in Europe. ClayRat’s enhanced capabilities for full device takeover increase risks of espionage, data leakage, and unauthorized access to corporate communications and credentials. The abuse of accessibility services and SMS permissions can bypass traditional security controls, making detection difficult and increasing the likelihood of successful breaches. The malware’s persistence and stealth features could lead to prolonged undetected compromises, affecting confidentiality, integrity, and availability of critical mobile endpoints. This threat landscape necessitates heightened vigilance for European organizations relying on Android mobile platforms for sensitive operations.

European organizations should implement targeted defenses beyond generic mobile security advice. First, enforce strict application vetting policies, restricting installation to verified sources such as the official Google Play Store and employing mobile threat defense (MTD) solutions capable of detecting behavior indicative of accessibility service abuse and overlay attacks. Deploy endpoint detection and response (EDR) tools with mobile capabilities to monitor for suspicious use of accessibility APIs, screen recording, and unauthorized overlay creation. Educate users, particularly in financial sectors, about phishing risks, the dangers of sideloading apps, and the importance of scrutinizing permission requests, especially accessibility and SMS access. Implement multi-factor authentication methods that do not rely solely on SMS-based 2FA to mitigate interception risks. Regularly audit and monitor network traffic for anomalous connections to known command-and-control domains such as naleymilva.it.com. Collaborate with mobile OS providers to apply the latest security patches and consider deploying app behavior anomaly detection systems. For organizations with cryptocurrency exposure, encourage the use of hardware wallets or secure enclave technologies to protect seed phrases. Finally, conduct threat hunting exercises focused on detecting these malware families’ indicators and behaviors within corporate mobile environments.