FvncBot
FvncBot is an Android banking trojan targeting mobile banking users in Poland, including campaigns impersonating mBank and SGB-branded security applications. It is disguised as a legitimate banking-security app and uses bank-themed social engineering to convince victims to install additional components, including fake "Play" or visible second-stage apps such as "Android V.28.11," and to enable an accessibility service presented as "System Update." Reported distribution includes unofficial websites, possible SMS phishing, and third-party app stores.
The malware is described as written from scratch rather than derived from leaked Android banking trojan source code. Its infection chain can be multi-stage: CERT Polska documented an outer loader package (com.junk.knock) that dynamically loaded an installer from /data/user/0/com.junk.knock/app_tell/tWyWeG.txt, extracted a second-stage APK (payload_grass.apk), and handed execution to a second-stage package com.core.town via the deep link core://setup. That second stage contained a hidden asset qkcCg.jpg, which was transformed with an RC4-like routine using the key "sDjCM" to recover the final implant dex.
FvncBot heavily abuses Android Accessibility Services for persistence, surveillance, and remote control. Reported capabilities include keylogging; capture of text changes from editable fields; reading on-screen text; tracking user taps; building a full JSON representation of the active UI tree; gesture injection via dispatchGesture(); and global navigation actions. It also supports overlays, including URL, HTML, black-screen, and loading overlays, enabling web-inject-style fraud and credential theft. The malware can inspect screen layout even when screenshots are blocked by FLAG_SECURE.
The trojan also provides hidden VNC/HVNC-style remote access and screen streaming, including reported H.264 streaming support. It can request MediaProjection permission and start screen capture for live operator sessions. Researchers reported that it can operate inside genuine banking apps, stream the victim screen, and inject fraudulent transactions directly from the compromised device, helping bypass conventional security checks.
For command and control and exfiltration, FvncBot has been reported using WebSockets for real-time sessions and Firebase Cloud Messaging (FCM) to receive commands. CERT Polska observed backend polling and registration traffic to jeliornic.it.com, including /api/v1/devices/register, /api/v1/tracking/events, and batched device event endpoints. Another report associated FvncBot with naleymilva.it.com. Campaign infrastructure also included hosting on ruvofech.it[.]com. Observed telemetry included device registration, milestone tracking events such as app_first_launch, install_permission_granted, installation_success, and accessibility_enabled, and exfiltration of device information, installed apps, logged events, and stolen user data.
High-confidence identifiers and artifacts mentioned in reporting include package names com.junk.knock and com.core.town, the exported accessibility service com.core.town.service.RemoteAccessibilityService, the deep link core://setup, hidden asset qkcCg.jpg, RC4-like key "sDjCM," build identifier "call_pl," and attacker infrastructure at jeliornic.it.com, naleymilva.it.com, and ruvofech.it[.]com. CERT Polska assessed the SGB-themed sample as another branch of the broader FvncBot campaign.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
19 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 technique
Initial Access
Execution
1 technique
Execution
Persistence
1 technique
Persistence
Stealth
5 techniques
Stealth
"Albiriox ... packing techniques, to evade static detection"; "protected by a crypting service known as apk0day"
The app presents itself as Token U2F Mobilna Ochrona SGB, claims that a Play Component is required, and then guides the victim through the installation of a hidden second-stage application labeled Android V.28.11. After that, the victim is pushed into enabling an accessibility service presented as System Update.
The hidden asset is transformed with an RC4-like routine keyed by sDjCM and expands to the final implant dex.
Defense Impairment
1 technique
Defense Impairment
Credential Access
4 techniques
Credential Access
Discovery
1 technique
Discovery
Lateral Movement
1 technique
Lateral Movement
Collection
5 techniques
Collection
The service builds a full JSON representation of the current screen, including text, content descriptions, view IDs, screen bounds, roles, and children.
The implant captures text changes from editable fields and records both the previous and updated values.
Command and Control
4 techniques
Command and Control
Observed backend traffic: https://jeliornic.it.com/api/v1/tracking/events https://jeliornic.it.com/api/v1/devices/register https://jeliornic.it.com/api/v1/devices/device_bf43438cc5236391/events/batch
The websocket client is built with OkHttp and adds X-API-Key when present: OkHttpClient.Builder timeout = new OkHttpClient.Builder().readTimeout(0L, TimeUnit.MILLISECONDS); | The HTTP helper uses both X-API-Key and X-Device-ID for authentication: httpURLConnection.setRequestProperty("X-API-Key", string); httpURLConnection.setRequestProperty("X-Device-ID", strG);
It writes the embedded APK directly from assets and launches installation: File file = new File ( opposeActivity . getCacheDir (), "installer_" + System . currentTimeMillis () + ".apk" ); InputStream inputStreamOpen = opposeActivity . getAssets (). open ( "apk/payload_grass.apk" );
IOCs tracked for this family
12 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named as one of 17 Android malware families detected in the wild over four months.
A multi-stage Android remote-control implant chain disguised as Polish banking/security apps. It installs a hidden second-stage app, abuses Accessibility Services for remote control, keylogging, UI-tree capture, overlays/web-injects, screen streaming, command polling, and backend registration.
Android banking trojan (written from scratch) that abuses Accessibility for keylogging, performs web-injects, supports screen streaming and HVNC to enable financial fraud; masquerades as a security app.
Android banking-focused malware masquerading as a security app; targets mobile banking users in Poland and adds data theft capabilities.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.