Android Malware FvncBot, SeedSnatcher and ClayRat: how they attack your mobile

  • FvncBot, SeedSnatcher, and ClayRat exploit accessibility, SMS, and overlays to achieve almost total control of mobile devices and steal banking and crypto data.
  • They are distributed through smishing, Telegram, third-party stores, and phishing websites that mimic popular apps and financial services.
  • They incorporate advanced evasion techniques (apk0day, dynamic loading, stealthy WebView, FCM, WebSocket) to avoid detection.
  • The best defense involves installing only from official sources, monitoring permissions, keeping Android updated, and applying 2FA and MDM where appropriate.
Joaquin Romero

17 minutes

How malware attacks your Android device

If you use an Android phone daily for online banking, social media or cryptocurrencies, You should take what you're about to read very seriously. In recent months, several extremely advanced malware families—FvncBot, SeedSnatcher, and an improved version of ClayRat—have emerged, taking mobile attacks to another level by combining social engineering, remote device control, and massive theft of sensitive data.

Unlike those viruses that only delivered annoying ads, these Trojans are capable of take almost total control of the phone, empty crypto wallets, steal banking credentials, and spy on the victim with a sophistication comparable to (or greater than) many desktop attacks. We'll see clearly, but in detail, how they work, what techniques they have in common, and what you can do to prevent your mobile phone from becoming a tool for attackers.

An increasingly aggressive mobile threat landscape

The Android ecosystem is gigantic, with billions of devices managing payments, 2FA authentication, private communications, and access to corporate systemsThis omnipresence has made Android a favorite target for criminal gangs, financial scammers, and APT groups with possible state backing.

Security labs such as Intel 471, CYFIRMA, and Zimperium have documented a accelerated evolution of Android malwarewhere the focus is no longer solely on home users. Increasingly, campaigns are targeting company employees, profiles with privileged access, or users who handle large sums of money in banking and cryptocurrencies.

In this context, three specific families have gained prominence: FvncBot, SeedSnatcher and ClayRatEach one specializes in a particular area (traditional banking, cryptocurrencies, or persistent espionage), but they share a common approach: to go undetected, abuse legitimate Android features—especially accessibility and screen overlays—and exfiltrate as much information as possible while maintaining control of the device.

The attackers have perfected the use of obfuscated dropper apps, encryption services like apk0day, messaging channels like Telegram, and highly polished phishing domains that perfectly mimic popular websites and applications (YouTube, WhatsApp, taxi apps, crypto wallets, etc.). For the average user, distinguishing a legitimate app from a manipulated one is becoming increasingly difficult.

What is SpyLend and how does it work?
Related article:
SpyLend: Android malware that steals your data and extorts its victims

FvncBot: banking trojan with VNC-type remote control

FvncBot is a Banking Trojan and RAT for Android developed from scratchwithout recycling code leaked from other malware such as ERMAC. Its main public campaign focuses on mBank mobile banking users in Poland, where it impersonates a supposed official security application associated with the bank.

The fraudulent application acts as The dropper is protected by an encryption/obfuscation service called apk0day, offered by Golden Crypt.This service packages the code in a way that makes static analysis and signature detection much more difficult. Upon opening the app, a notification appears prompting the user to install an apparent "Google Play component" intended to improve system stability or security.

Actually, that component is the FvncBot payloadThe malware exploits a session-based approach to bypass the restrictions that Android 13 and later versions impose on the use of accessibility services by apps downloaded from outside Google Play. In this way, even on recent versions of the system, it manages to activate the permissions it needs to view and control almost everything on the device.

Once deployed, FvncBot prompts the user to grant accessibility service permissionsIf the victim agrees, the Trojan gains very high privileges: it can read what appears on the screen, detect which applications are opened, simulate touches and gestures, display windows on top of other apps, and record keystrokes in sensitive forms, such as bank logins or payment services.

During its execution, the malware sends log events to a remote server under the domain naleymilva.it.comThe analyzed samples showed a build identifier “call_pl”, which points to Poland as the target country, and a version configured as “1.0-P”, indicating that it is a family still in the early stages of development and, therefore, with room to continue adding capabilities.

After registering the device, FvncBot connects to its command and control infrastructure using HTTP and the Firebase Cloud Messaging (FCM) serviceThrough these channels it receives orders in real time and can modify its behavior on the fly, activating or deactivating modules depending on the type of victim or the specific campaign.

Among the latests Moravia's compositions capabilities The following have been documented:

  • Capacity for Initiate or stop WebSocket connections that allow remote control of the device., by swiping, tapping, scrolling or opening applications as if the attacker had the mobile phone in his hand.
  • Exfiltration of accessibility events, list of installed apps, and device information (model, Android version, bot configuration, etc.).
  • Receiving specific configurations for display malicious full-screen overlays on selected appsgenerally banking or payment applications.
  • Hiding these overlaps at the opportune moment so that the victim barely perceives strange behavior.
  • Abuse of accessibility services for record keystrokes and data entered into critical forms.
  • API usage MediaProjection to transmit screen content in real timeThis allows attackers to see exactly what the user is doing, even in apps that block screenshots with the FLAG_SECURE flag.

Ways to protect your Android from the different types of malware that exist

In addition, FvncBot has a "text mode" that allows it to analyze the design and visible content of the interface even when conventional captures cannot be madeThis allows you to inspect input fields, buttons, and security messages in specially protected applications.

There is currently no public confirmation of its primary distribution method, but, based on similarities with other banking Trojan families, it is highly likely to rely on smishing campaigns (phishing SMS), links sent via instant messaging, and third-party app stores where malicious clones of well-known apps or fake security tools are uploaded.

Although the current configuration is geared towards Polish mBank userFvncBot's modular design makes it easy for attackers to adapt language, logos, overlay templates, and even target banks effortlessly. It wouldn't be surprising to see it mutate into campaigns in other countries or against different banks in a short time.

SeedSnatcher: seed phrase and 2FA code stealer

If FvncBot focuses its attention on traditional banking, SeedSnatcher is directly targeting the crypto ecosystem.This is an infostealer for Android designed to steal wallet seed phrases, private keys, and any information that allows taking control of cryptocurrency wallets, as well as other sensitive data from the device.

SeedSnatcher is primarily distributed through Telegram and other social channels, disguised under the name “Coin” or other names that suggest investment tools, cryptocurrency management apps, or access to exclusive promotions. The attackers spread links to supposedly legitimate APKs in public and private groups related to trading, NFTs, or blockchain news.

The malicious application is designed not to raise suspicion upon entry: it usually It requests very few permissions upon installation, especially access to SMS or seemingly harmless options.This approach helps to circumvent security solutions that alert against massive permission requests from the first boot.

However, behind the scenes, SeedSnatcher begins to deploy its arsenal. Its developers have incorporated techniques such as dynamic class loading and stealth content injection into WebViewThis allows the app to download additional modules from the command and control server, modify itself on the fly, and activate functions only when it detects that the victim opens certain cryptocurrency-related applications.

One of its most dangerous capabilities is the generation of extremely convincing phishing overlays These scams mimic the appearance of well-known crypto wallets, exchanges, or account recovery screens. The user believes they are restoring their wallet or verifying their identity, but in reality, they are handing over their seed phrase or private key to the attackers.

In addition to recovery seeds, SeedSnatcher can intercept incoming SMS messages to capture two-factor authentication (2FA) codesThis facilitates the hijacking of accounts on exchange services, trading platforms, or even other services that still use SMS as a second factor.

The malware is also prepared for Exfiltrate extensive information from the device: contacts, call logs, local files, and other data of interest that can be reused in future fraud, extortion, or underground forum sales campaigns.

Investigations attributed to CYFIRMA indicate that the operators of SeedSnatcher would be groups based in China or Chinese-speaking, based on instructions and documentation in that language present both in the stealer's control panel and in messages shared via Telegram.

SeedSnatcher's privilege escalation pattern is very calculated: it starts with minimum permits To remain undetected, it later requests permission to access the file manager, display overlays, read contacts, view call logs, and other critical resources. Each request is disguised as if it were necessary for a legitimate function, reducing the likelihood of user suspicion.

Google Security
Related article:
Google scans 6.000 billion Android apps daily for malware

The combination of visual deception, SMS theft, potential clipboard monitoring, and silent data exfiltration makes SeedSnatcher a A critical threat to anyone managing cryptocurrencies from their mobile deviceespecially non-custodial wallets based on seed phrases that, once compromised, allow the attacker to drain the funds with no possibility of recovery.

ClayRat: modular spyware and almost total device control

ClayRat is a Modular spyware for Android that has evolved rapidly until it became one of the most dangerous mobile surveillance tools on the current scene. It was initially geared towards specific markets (especially Russian users), but recent variants demonstrate a qualitative leap in capabilities, persistence, and geographic reach.

Its distribution is based on a mixture of campaigns in Telegram and carefully designed phishing websites These websites impersonate well-known services. They promote popular apps—such as WhatsApp, Google Photos, TikTok, or YouTube—and display fake reviews, positive ratings, and inflated download numbers to reinforce the sense of legitimacy.

What the user actually downloads is usually not the spyware itself, but a lightweight dropper containing hidden and encrypted malwareThis dropper can masquerade as a simple video app, a supposedly enhanced client, or a useful tool. Once installed, it decrypts and releases the malicious payload, bypassing some system security controls.

Research by Zimperium zLabs and other teams has revealed that ClayRat It does a double abuse of accessibility services and default SMS permissionsBy becoming the default SMS app, it can read, write, and send messages without the user's knowledge, intercepting 2FA codes, manipulating conversations, and using them as a vector to spread the infection.

The latest versions incorporate a wide range of features. repertoire of advanced features:

  • Keylogging, screenshots, and full screen recording, which allows for the reconstruction of virtually everything the victim does.
  • Access to calls, notifications, history, front camera photos, and other private data, with the possibility of uploading them to the command and control server.
  • Capacity for take pictures with the front camera and silently exfiltrate them, something especially invasive as it points directly at the victim's face.
  • Deployment of overlays that simulate system updates, black screens, or maintenance messages, used to mask malicious activities while attackers operate the device in the background.
  • Generation fake interactive notifications that appear to come from the system or legitimate apps and that serve to collect responses, codes and keystrokes.

One particularly disturbing aspect is ClayRat's ability to The device will automatically unlock even if you use a PIN, password, or pattern.By combining accessibility, screen layout recognition, and gesture automation, the malware manages to bypass the lock screen and operate the mobile phone without user interaction.

In addition to spying, ClayRat turns each infected computer into a automated distribution nodeYou can send SMS messages with malicious links to contacts stored on the phone, exploiting the trust placed in messages received from a known number. This facilitates rapid and widespread propagation without requiring attackers to have a large additional infrastructure.

The use of at least 25 phishing domains that mimic legitimate services like YouTubeoffering a supposed “Pro” version with background playback and 4K HDR support. Dropper apps impersonating the app have also been detected. Russian taxi and parking apps, replicating names, icons, and descriptions to deceive local users.

The expansion of ClayRat's capabilities—from simple data exfiltration to the full device takeover with persistent overlays and automated unlocking— makes this latest variant even more dangerous than the previous ones, in which at least there was some possibility that the victim would detect strange activity, uninstall the app or turn off the mobile phone in time.

Common techniques: accessibility, overlays, and advanced evasion

Although FvncBot, SeedSnatcher, and ClayRat pursue somewhat different goals, they rely on a set of shared tactics and techniques that explain why they are having so much success in real campaigns.

First of all, it highlights the systematic abuse of Android accessibility servicesThis functionality was designed to help disabled users interact with the device, but, if misused, it gives attackers the ability to read what appears on the screen, detect changes in the interface, automate gestures and, in practice, control the mobile phone almost as if it were their own.

The second pillar is the overlays that supplant legitimate full-screen or partial interfacesBy placing a fake layer on top of a real app—whether it's a bank, a crypto wallet, or a popular service—attackers capture credentials, personal data, card numbers, or seed phrases without having to compromise the original application. The user believes they are interacting with the usual app, but in reality, they are typing on a screen controlled by the malware.

Thirdly, these families resort to highly developed evasion techniques: code obfuscation and encryption using services like apk0day, dynamic loading of classes that are only downloaded when needed, silent injection of content into WebView, and use of integer-based command instructions to make traffic appear less obvious to monitoring systems.

Communication with command and control servers has also become more sophisticated. Many of these Trojans employ Firebase Cloud Messaging for receiving orders, WebSocket connections for real-time control, and data exfiltration via HTTP or HTTPS, mixing its malicious traffic with the legitimate traffic of other apps, which complicates its detection on corporate and home networks.

All of the above is complemented by a very careful social engineering workAttackers create apps that impersonate Google Play components, security tools, official banking applications, "Pro" versions of well-known platforms, or popular services like taxis, parking, and digital wallets. The goal is to lower the user's guard so they accept critical installations and permissions almost without reading them.

How can your Android device be infected and what are the signs of potential compromise?

Despite all the technology behind them, the starting point is usually always the same: convince the user to manually install an APK or grant dangerous permissionsTo do this, they rely on smishing messages, social media campaigns, forums, Telegram groups, or pages that promise irresistible advantages (free paid apps, ad-free versions, investment opportunities, etc.).

Once the victim is taken in by the promise, Download the APK from an unofficial sourcepress “Install” and then Accepts accessibility permissions, SMS access, overlays, and default app role for certain services (such as messaging). From there, much of the control passes into the hands of the malware, which will try to operate silently so as not to raise suspicion.

Even so, there are a number of indicators of commitment that should be monitored:

  • Abnormal battery consumption and mobile phone overheating without obvious heavy use.
  • Significant increase in mobile or Wi-Fi data traffic without a clear explanation.
  • Appearance of apps you don't remember installing or changes to default SMS, banking, or messaging apps.
  • Unexpected shutdowns, crashes, or strange behavior in key apps such as banking, wallets, social media, or messaging.
  • Unusual permission dialog boxes, especially those related to accessibility, SMS, or device management.
  • Alerts for suspicious logins or unusual location changes on your cloud accounts, crypto services, or online banking.

If you notice several of these symptoms, it's wise to have a check-up. full scan with a trusted mobile security solutionManually review the list of installed applications (including those with generic icons or strange names) and, if the situation is serious, consider a factory reset after backing up only the essentials.

Best practices to protect your mobile phone from FvncBot, SeedSnatcher and ClayRat

Android Malware

The best defense against these threats combines technology and common sense. At the user level, there are a number of basic digital hygiene guidelines which drastically reduce the chances of becoming infected by FvncBot, SeedSnatcher, ClayRat or similar.

The golden rule is clear: Only install apps from Google Play or official provider websites.Downloading APKs from links received via SMS, email, social media, Telegram channels, or "miracle" download sites is, nowadays, one of the main entry points for mobile malware.

It's also key to take a few seconds to Review the permissions requested by each app before accepting them.If an app that supposedly lets you watch videos, listen to music, or check the weather requests full access to SMS messages, accessibility services, contacts, or device administration, be suspicious. Many attacks rely on users clicking "Accept" without reading anything at all.

Another fundamental layer is maintaining Android, apps and security solutions always up to dateManufacturers and Google frequently release patches to close vulnerabilities that these Trojans attempt to exploit. Enabling automatic updates and checking them periodically is a minimal time investment with a huge return on investment in security.

Regarding accounts and credentials, it is advisable to use strong and different passwords for each serviceStore these keys in a reliable password manager and enable two-step authentication whenever possible. However, it's preferable to use 2FA methods based on authenticator apps or physical keys instead of SMS, precisely because many mobile malware programs specialize in intercepting messages.

For those managing significant amounts of cryptocurrencies, it is prudent to... Seed phrases and private keys are not generated or stored on a general-purpose Android device.Using hardware wallets or dedicated devices minimizes the impact of an infostealer like SeedSnatcher on the main mobile device.

In corporate environments, organizations should rely on mobile device management (MDM) solutions To control which apps can be installed, enforce encryption policies, separate work and personal profiles, and monitor indicators of compromise. Ongoing employee training on mobile phishing, suspicious links, and anomalous permission screens is as important as any technical solution.

The rise of FvncBot, SeedSnatcher, and the new ClayRat proves that The main focus of cybercrime has shifted significantly towards mobile devices.Understanding how they work, what permissions they abuse, and why their campaigns are so convincing helps raise awareness that the smartphone is no longer a relatively safe "toy," but the most valuable link in our digital life.

Methods to protect your Fire TV from viruses and malware
Related article:
How to protect Fire TV and Google TV from viruses and malware

Adopting simple habits—only using apps from trusted sources, being wary of links and permissions, keeping your system up to date, and using active mobile security—makes the difference between continuing to use your mobile phone with peace of mind or seeing it become a tool at the service of attackers. Share this information so that more people can learn about the different types of Android malware that exist.


Follow us on Google News