Android Malware FvncBot, SeedSnatcher and ClayRat Gain Stronger Data-Theft Features

Cybersecurity researchers have recently analyzed three Android malware families that have gained stronger data-stealing abilities. These threats FvncBot, SeedSnatcher, and ClayRat have all received upgraded features that allow attackers to control devices more deeply. The discoveries were made by well-known security research teams who warned that these malware families are becoming more advanced. Their new capabilities show how quickly mobile threats are evolving.

FvncBot is a newly identified Android banking trojan targeting users in Poland by pretending to be an official mBank security application. After installation, it tricks users into granting accessibility permissions, giving the malware powerful control over the phone. Researchers found that unlike earlier malware, FvncBot appears to be built from fresh code rather than copied from older trojans. This makes it harder for security tools to detect or compare it with previous families.

Once FvncBot gains full access, it can record keystrokes and capture the screen in real time. It also places fake overlays on top of genuine banking apps to steal login data without the user noticing. The malware connects to its controllers using WebSockets and cloud messaging services, enabling remote operation of the infected device. These capabilities allow attackers to conduct fraudulent transactions directly from the victim’s phone.

SeedSnatcher is another serious Android threat, specifically designed to target cryptocurrency users. Its main purpose is to steal wallet seed phrases, which are the recovery words that allow complete access to a crypto wallet. SeedSnatcher displays fake screens inside wallet apps to trick users into entering sensitive information. Because seed phrases grant full control over funds, this makes the malware extremely dangerous for crypto holders.

In addition to stealing seed phrases, SeedSnatcher can intercept incoming SMS messages. This allows attackers to capture one-time passwords and two-factor authentication codes sent through text messages. The malware receives coded instructions from its command server to perform operations quietly in the background. Researchers also observed links to Telegram-based distribution and infrastructure containing Chinese-language elements.

ClayRat is a well-known Android spyware family that has recently become more powerful. Newer versions misuse accessibility permissions along with SMS-handling permissions, allowing deeper control over infected devices. With these permissions combined, the spyware can read private messages, record screens, and collect notifications without the user’s knowledge. It also creates fake overlays that prevent users from closing or removing the malicious app.

ClayRat is often spread through phishing websites and fake applications that imitate popular services. This helps attackers target a wide range of victims across different regions. The spyware can also automate device actions such as unlocking the screen or performing taps on behalf of the attacker. These upgrades make ClayRat a persistent and difficult-to-remove threat.

Security researchers warn that all three malware families rely heavily on fake apps, phishing pages, malicious droppers, and Telegram channels for distribution. They strongly advise users to avoid installing applications from unknown sources and to be cautious when granting sensitive permissions like accessibility or SMS control. Keeping devices updated and using safer authentication methods can help reduce the risk of infection. As these malware families continue to grow more advanced, awareness and careful device use remain the best defenses.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news