A new banking trojan, identified as FvncBot, is actively targeting Android users, particularly mobile banking customers in Poland. This sophisticated malware, first observed on November 25, 2025, disguises itself as a legitimate security application supposedly from mBank, a prominent Polish financial institution. The primary goal of FvncBot is to infiltrate users’ devices and gain unauthorized access to their financial accounts through covert surveillance and remote control capabilities, posing a significant threat to personal finances.
The infection chain is initiated when the fake application prompts the user to install an additional component labeled “Play,” which is presented as a necessity for system stability. This deceptive step is crucial for the malware’s operation as it helps bypass stringent security protocols present on modern Android devices. By tricking users into granting these permissions, the malicious loader effectively establishes a persistent presence on the compromised device, setting the stage for clandestine data theft.
FvncBot: A Novel Banking Trojan Exploiting Accessibility Services
Researchers at Intel 471 have identified and named this distinct threat FvncBot. Notably, its codebase is entirely original, distinguishing it from strains derived from leaked code of previously known banking trojans. This suggests a new and independent development group is behind this operation. FvncBot employs a range of invasive functionalities designed to facilitate financial theft, including keylogging and screen capturing. Additionally, it leverages hidden Virtual Network Computing (VNC) capabilities, empowering cybercriminals to remotely operate the infected device and conduct fraudulent transactions without the user’s knowledge.
The most concerning aspect of FvncBot lies in its exploitation of Android’s accessibility services. Once installed, the malware aggressively seeks to obtain these elevated privileges, skillfully guiding the user through system settings to grant approval. Upon successful enablement, FvncBot gains the ability to read on-screen text and meticulously track every user interaction, such as taps and swipes.
With accessibility services active, FvncBot can systematically harvest sensitive data from any application running on the device, including highly secure online banking portals. This captured information is then consolidated into a temporary storage buffer before being transmitted to a remote command-and-control (C2) server. Moreover, the malware establishes a high-speed connection utilizing WebSockets, which allows threat actors to issue commands to the compromised device with minimal latency. This enables real-time screen streaming and remote manipulation for executing fraudulent activities.
To mitigate the risk of such infections, users are strongly advised to exercise extreme caution and exclusively download banking applications from official app stores or trusted sources. Installing financial software from unofficial websites or through ambiguous search results significantly increases the likelihood of falling victim to sophisticated malware like FvncBot. The ongoing evolution of mobile banking threats underscores the critical need for users to remain vigilant and informed about cybersecurity best practices.