New FvncBot Android Trojan Targets mBank Users with HVNC and H.264 Screen Streaming
Ddos 
Image: Intel 471
A sophisticated new Android banking trojan has been discovered targeting customers of mBank, one of Poland’s largest financial institutions. Dubbed FvncBot by researchers at Intel 471, the malware masquerades as a legitimate security application to steal credentials and take remote control of victim devices.
The malware was first observed on November 25, 2025, distributed under the guise of an app called “Klucz bezpieczeństwa Mbank” (Security key Mbank). By mimicking a trusted authentication tool, the attackers trick users into installing the payload.
Once launched, the app requests the installation of a “Play” component to ostensibly ensure security. In reality, this action executes the FvncBot payload, which resides unencrypted in the application’s assets.
Unlike many recent banking trojans that recycle code from notorious families like Ermac or Hook, FvncBot appears to be a custom build. The report notes that “this trojan is unique in that the code is completely new and is not based on source code leaks for other Android banking trojans”.
This freshness makes detection harder for security vendors relying on known signatures. To further evade analysis, both the loader and the payload are “obfuscated with the well-known apk0day crypting service operated by the GoldenCrypt actor”.
FvncBot is equipped with a powerful arsenal of surveillance and fraud capabilities. Its primary features include “keylogging by abusing Android’s accessibility services, web-inject attacks, screen streaming and hidden virtual network computing (HVNC) to perform successful financial fraud”.
The malware’s ability to stream the victim’s screen is particularly advanced. It uses the H.264 video compression standard to ensure low-latency, high-efficiency transmission, a step up from the JPEG-based streaming used by many competitors .
Furthermore, the “text mode” (HVNC) allows attackers to recreate the device’s UI layout and interact with it programmatically, even if the targeted app blocks screenshots using the FLAG_SECURE setting.
To manage infected devices, the operators utilize Firebase Cloud Messaging (FCM) to dispatch commands. For more intensive tasks like screen streaming, the malware establishes a WebSocket connection by abusing the Fast Reverse Proxy (FPR) tool. This setup enables “near-real-time, bidirectional communication – crucial especially during streaming the device screen and operating the infected device remotely”.
While the current campaign is specifically configured with a “call_pl” build identifier targeting Polish users, the infrastructure allows for rapid pivoting to other regions. Researchers warn that “masking banking malware as a legitimate application is a common ruse used to trick users into installing malware on their device”.
Donate