CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Target Financial and Cryptocurrency Data

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

Timeline

  1. 08.12.2025 13:00 1 articles · 23h ago

    New Android Malware Families FvncBot, SeedSnatcher, and Enhanced ClayRat Discovered

    Researchers have identified three new or enhanced Android malware families: FvncBot, SeedSnatcher, and an upgraded version of ClayRat. FvncBot targets Polish mobile banking users with keylogging, web-inject attacks, and hidden virtual network computing (HVNC) capabilities. SeedSnatcher steals cryptocurrency wallet seed phrases and intercepts SMS messages for 2FA codes. The updated ClayRat now abuses accessibility services for full device takeover, including screen recording and notification harvesting. These malware families use advanced techniques to evade detection and escalate privileges.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 700 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. The latest version of ClayRat introduces far broader capabilities by combining Default SMS privileges with extensive abuse of Accessibility Services. Key functions include a keylogger that captures PINs, passwords, and patterns, full screen recording through the MediaProjection API, overlays that disguise malicious activity, and automated taps designed to block users from shutting down the device or deleting the app. These enhancements make the malware more persistent than earlier versions. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab