Malware Brief: Android in the crosshairs — FvncBot, SeedSnatcher, ClayRat

Emerging Android malware: Tactics, targets and defense strategies

Key Takeaways:

• Android malware threats are rapidly evolving, targeting both individuals and organizations worldwide.
• FvncBot uses VNC-based remote access to steal credentials and control devices in real time.
• SeedSnatcher specializes in stealing cryptocurrency wallet seed phrases and private keys from Android users.
• ClayRat is a modular spyware tool used for surveillance, data theft and persistent device compromise.
• Attackers exploit social engineering, phishing overlays and malicious app distribution to infect Android devices.
• Protect yourself by installing apps only from trusted sources, keeping devices updated and enabling two-factor authentication.

As a longtime Android phone user, I am used to brushing off the disdain or even mockery that many of my iPhone-loving friends send my way. But despite its many advantages (IMHO), the truth is that Android is significantly more prone to malware attacks than iOS/iPhone. (But see also how a recent report from Google suggests the opposite.)

Android devices are incredibly popular, with billions of users worldwide, powering everything from banking and payments to personal communications and business operations. This ubiquity, however, has made Android a prime target for cybercriminals and advanced threat actors.

In recent months, researchers have observed a surge in sophisticated malware campaigns that exploit social engineering, Android’s accessibility features, and third-party app distribution channels. These attacks are not only growing in technical complexity but also in their ability to evade detection and target high-value data, including financial credentials and cryptocurrency wallets.

Today’s brief highlights three of the most concerning Android malware families currently active in the wild: FvncBot, SeedSnatcher and ClayRat. Each brings unique capabilities and attack vectors, underscoring the need for heightened vigilance and robust mobile security practices.

FvncBot: The Android RAT with a VNC twist

Type: Remote Access Trojan (RAT)
Capabilities: VNC-based screen sharing, credential theft, device control
Threat actors: Multiple, including financially motivated groups

FvncBot is a newly developed Android banking Trojan that stands out for its use of virtual network computing (VNC) to enable real-time device control and surveillance. Disguised as a legitimate security app (notably for mBank in Poland), FvncBot abuses Android’s accessibility services to log keystrokes, perform web-inject attacks, stream the device’s screen, and deploy hidden overlays for credential theft.

The malware is distributed via dropper apps that prompt users to install a fake Google Play component, bypassing security restrictions on newer Android versions. While its initial focus has been on Polish users, researchers warn that its tactics could easily be adapted to other regions and institutions.

SeedSnatcher: Credential harvester with a focus on crypto

Type: Infostealer
Capabilities: Clipboard monitoring, seed phrase theft, phishing overlays, SMS interception
Threat actors: Likely financially motivated, China-based or Chinese-speaking

SeedSnatcher is a sophisticated infostealer targeting cryptocurrency users. Distributed under the name “Coin” via Telegram and other social channels, it specializes in harvesting wallet seed phrases and private keys through convincing phishing overlays that mimic popular crypto apps.

The malware also intercepts SMS messages to steal two-factor authentication codes, exfiltrates device data and escalates privileges to access contacts, call logs and files.

SeedSnatcher’s operators employ advanced evasion techniques, including dynamic class loading and stealthy WebView injection, making it difficult to detect and remove.

ClayRat: Espionage tool with modular payloads

Type: Modular RAT/spyware
Capabilities: Keylogging, audio/video recording, file exfiltration, overlay attacks, device control
Threat actors: Suspected APT groups, possible state sponsorship

ClayRat is an advanced Android spyware family that has rapidly evolved to include a wide range of surveillance and device-control features. The latest versions abuse both SMS and accessibility permissions to capture keystrokes, record screens, harvest notifications and deploy overlays that mimic system updates or black screens to conceal malicious activity.

ClayRat is distributed through phishing domains and Telegram channels, often masquerading as popular apps like YouTube or regional taxi services. Its persistence mechanisms and ability to automate device unlocking make it a formidable threat, especially in bring-your-own-device (BYOD) environments.

Protecting your Android device

The Android malware landscape is evolving rapidly, with attackers leveraging accessibility features, phishing overlays and social engineering to compromise devices and steal sensitive data. To defend against threats like FvncBot, SeedSnatcher and ClayRat, the best policy is to follow the same guidelines you use to protect other devices and endpoints against malware.

• Only install apps from trusted sources (Google Play, official vendor sites)
• Keep your device, your apps and your mobile security updated
• Use strong, unique passwords and enable two-factor authentication
• Be wary of unsolicited links, downloads and permissions requests — know how to spot phishing attempts