Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Android Malware FvncBot, SeedSnatcher, and ClayRat Gain Stronger Data Theft Features

Cybersecurity researchers have identified FvncBot, SeedSnatcher, and an upgraded ClayRat, all exploiting Android accessibility services and SMS permissions to steal financial and cryptographic data. FvncBot, masquerading as a security app, uses keylogging and screen streaming to target Polish banking users.

Why This Matters

Android’s accessibility services, designed for accessibility, are being weaponized by malware to bypass security restrictions and automate device control. Unlike ideal secure systems that isolate permissions, these threats leverage session-based bypasses and dynamic class loading to evade detection, risking widespread financial fraud and data exfiltration. The scale of impact is amplified by phishing and third-party app store distribution, which could infect millions of devices globally.

Key Insights

• “FvncBot abuses Android accessibility services for keylogging and screen streaming, 2025 (Intel 471)”
• “SeedSnatcher intercepts SMS 2FA codes and steals cryptocurrency seed phrases, 2025 (CYFIRMA)”
• “ClayRat exploits default SMS permissions for device takeover, 2025 (Zimperium)“

Practical Applications

• Use Case: Banking trojans like FvncBot use phishing to deploy malware via fake security apps.
• Pitfall: Overreliance on accessibility services without runtime validation enables persistent overlays and keystroke logging.

References:

• https://thehackernews.com/2025/12/android-malware-fvncbot-seedsnatcher.html