New FvncBot Android banking trojan targets Poland

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland
• Blog Title: New FvncBot Android banking trojan targets Poland
• Suggested Section: Mobile Pentesting -> Android Applications Pentesting (new subpage such as 'Android Accessibility & Overlay Abuse / RAT Techniques' covering session-based installer abuse, accessibility-based keylogging & HVNC, WebView overlay phishing, and FCM/FRP/WebSocket C2 patterns)

🎯 Content Summary

Overview & Targeting

FvncBot is a newly observed Android banking trojan first seen on Nov. 25, 2025, distributed via a malicious loader app impersonating mBank’s Polish app “Klucz bezpieczeństwa Mbank” (Security key Mbank). The loader’s only purpose is to covertly install and bootstrap a second-stage payload (com.fvnc.app), which Intel 471 named FvncBot. Both loader and payload are heavily obfuscated using the commercial apk0day crypting service, attributed to the GoldenCrypt actor,...

🔧 Technical Details

Abusing Session-Based Package Installer for Second-Stage Payloads
The loader embeds a second-stage APK in its assets/ directory and uses Android’s session-based package installer APIs to extract and install it at runtime. By opening an install session, streaming the APK bytes, and committing the session programmatically, an attacker can bypass newer Android 13+ restrictions that hinder accessibility- or UI-driven silent installs. Any malicious loader can replicate this to drop additional APKs without relying on classic, more easily detectable install flows.

Social-Engineering Users into Enabling Malicious Accessibility Services
The payload presents a guided wizard and deep-link to Accessibility Settings, convincing users to enable its Accessibility Service under the pretext of “proper functioning” or “security.” Once enabled, the service can monitor all relevant AccessibilityEvents, read text from input f...

🤖 Agent Actions

Summary:

• Expanded accessibility-services-abuse.md with modern Android banking-Trojan TTPs from the Intel 471 FvncBot report, including session-based second-stage installation via PackageInstaller, accessibility-driven keylogging buffers, WebView overlay phishing with JS bridges, and FRP/WebSocket-driven HVNC streaming.
• Added a new “FvncBot-style loader & C2 fingerprints” section covering cleartext registration patterns, FCM-triggered FRP/WebSocket escalation, and leveraging embedded debug logs for hunting, plus enriched the detection checklist with network/telemetry indicators.
• Updated the references to cite the Intel 471 blog that informed the new content.

Tests: Not run (not applicable).

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://www.intel471.com/blog/new-fvncbot-android-banking-trojan-targets-poland

Content Categories: Based on the analysis, this content was categorized under "Mobile Pentesting -> Android Applications Pentesting (new subpage such as 'Android Accessibility & Overlay Abuse / RAT Techniques' covering session-based installer abuse, accessibility-based keylogging & HVNC, WebView overlay phishing, and FCM/FRP/WebSocket C2 patterns)".

Repository Maintenance:

• MD Files Formatting: 914 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0