FvncBot¶
FvncBot is a multi-stage Android banking trojan analyzed by CERT Polska in March 2026 targeting Polish banking customers. It uses a layered deployment chain where a bank-themed lure app installs a runtime loader, which hands off to a hidden implant with full remote control capabilities. FvncBot combines accessibility abuse, screen capture, overlay attacks, and keylogging with a binary WebSocket protocol supporting 24+ command types for real-time device takeover.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | March 2026 |
| Status | Active |
| Type | Banking trojan, remote access |
| Attribution | Unknown |
| Distribution | Bank-themed lure apps impersonating Polish banks (SGB, Alior, Paribas) |
| Target Region | Poland |
Multi-Stage Deployment Chain¶
FvncBot operates as a multi-stage implant chain rather than a single APK. Each stage serves a specific purpose in evading detection and establishing persistence.
| Stage | Package/Asset | Purpose |
|---|---|---|
| Stage 1 | com.junk.knock (bank-themed lure, e.g. "Token U2F Mobilna Ochrona SGB") |
Social engineering entry point |
| Stage 2 | Loaded via DexClassLoader from /data/user/0/com.junk.knock/app_tell/tWyWeG.txt |
Runtime installer |
| Stage 3 | com.core.town (branded "Android V.28.11"), delivered as assets/apk/payload_grass.apk |
Visible implant |
| Stage 4 | RC4-encrypted asset qkcCg.jpg (key: sDjCM), extracted from classes7.dex |
Hidden accessibility-based implant |
The lure app queries com.core.town via a content provider, then uses a core://setup URI scheme for handoff. The installer prompts the user to enable "Install unknown apps" and displays a fake "Play Component" installation dialog.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Accessibility abuse | RemoteAccessibilityService with typeAllMask, gesture injection, global actions, full screen tree capture |
| Screen capture | MediaProjection via foreground service, live WebSocket streaming using OkHttp |
| Overlay attacks | URL, HTML, black-screen, and loading overlay types with clickable elements |
| Keylogging | TYPE_VIEW_TEXT_CHANGED monitoring, captures previous and updated values, tracks is_password flag |
| Remote device control | Binary WebSocket protocol with 24+ command types (touch, gestures, key events, clipboard injection, app launch) |
| Clipboard hijacking | Clipboard injection via C2 command (code 18) |
Accessibility Service¶
The accessibility service is FvncBot's core dependency. It runs with accessibilityEventTypes="typeAllMask" and flags flagRequestFilterKeyEvents, flagReportViewIds, flagIncludeNotImportantViews. With canRetrieveWindowContent and canPerformGestures enabled, it captures the full JSON representation of the current screen including text, content descriptions, view IDs, screen bounds, roles, and children. It executes broadcast-delivered control messages mapped to gesture injection and global navigation actions.
WebSocket Binary Protocol¶
The C2 uses a binary protocol over WebSocket (OkHttp client) with API key authentication. Commands are decoded from ByteBuffer with 24+ types:
| Code | Function |
|---|---|
| 1 | Touch/gesture events |
| 2 | Key events |
| 15 | Overlay mode switching |
| 18 | Clipboard injection |
| 22 | Settings page launch |
| 23 | Application launch |
Overlay System¶
FvncBot supports multiple overlay types including URL-based, raw HTML, black-screen, and loading spinner overlays. The FCM command set supports clickable overlays and overlay task updates. Custom JavaScript is injected into WebView content to keep input fields visible while the keyboard is open.
Obfuscation¶
FvncBot layers multiple obfuscation techniques across its stages:
| Technique | Details |
|---|---|
| Dynamic code loading | DexClassLoader loads second stage from file path |
| RC4 encryption | Hidden stage encrypted as qkcCg.jpg with key sDjCM |
| Base64+XOR string encoding | Configuration strings encoded with key zext0sup3bei25jm |
| Reflective invocation | Sensitive method calls via string-decoded reflection |
| Obfuscated naming | Variables and class names obfuscated across all stages |
C2 Infrastructure¶
Registration and Communication¶
FvncBot uses a REST API for registration and polling, with WebSocket for real-time screen streaming and remote control.
| Endpoint | Purpose |
|---|---|
/api/v1/devices/register |
Device registration (sends Android ID, FCM token, build ID, device info) |
/api/v1/devices/<device_id>/commands?status=pending&limit=10 |
Command polling |
/api/v1/devices/<device_id>/events/batch |
Event batching/exfiltration |
/api/v1/devices/<device_id>/heartbeat |
Heartbeat |
/api/v1/tracking/events |
Tracking |
Authentication uses X-API-Key and X-Device-ID (format: device_<android_id>) headers. The default polling interval is 300,000ms (5 minutes), stored in SharedPreferences alongside the device ID and API key.
FCM Integration¶
Firebase Cloud Messaging delivers commands as an alternative to polling, enabling push-based overlay triggers and task updates even when the device is idle.
Persistence¶
| Mechanism | Details |
|---|---|
| Accessibility foreground service | foregroundServiceType="dataSync|mediaProjection", notification labeled "System Update" |
| FCM push commands | Firebase Cloud Messaging for command delivery when polling is inactive |
Permissions¶
| Permission | Purpose |
|---|---|
| BIND_ACCESSIBILITY_SERVICE | Screen tree capture, gesture injection, keylogging, remote control |
| MEDIA_PROJECTION | Screen capture and live streaming via foreground service |
| REQUEST_INSTALL_PACKAGES | Stage 3 APK installation via "Install unknown apps" prompt |
| PACKAGE_USAGE_STATS | App usage monitoring |
| QUERY_ALL_PACKAGES | Enumerate installed applications |
IOCs¶
File Hashes (SHA-256)¶
| Component | Hash |
|---|---|
Outer APK (com.junk.knock) |
96b47838ba48b881f4b8e007c5b8c2963db516556865695848ee252571fe5893 |
| Runtime installer | 91a22dcd68500e33ee0aa45d40dc00df58bc1d8e3559a273ff1ab8c3d2d94486 |
Embedded APK (payload_grass.apk) |
b4708b853ff64530776e8179a748b7e9469eb88491bceaffe3bf16cfe366d75a |
Hidden asset (qkcCg.jpg) |
3d980d21f116bd499bdd0b52b570cbb4ddcbf47aa2dd96b5aae43dbce51f6249 |
| Extracted DEX | 56c28cda7650e6d9287b8c260594bc759f9f7b47cf74b27ad914de0a57b315c6 |
Network¶
| Type | Value |
|---|---|
| C2 domain | jeliornic.it.com |
| C2 IP | 104.21.59.199 |
| Distribution domain | ruvofech.it[.]com |
Identifiers¶
| Type | Value |
|---|---|
| Package (Stage 1) | com.junk.knock |
| Package (Stage 3) | com.core.town |
| Build ID | h8zskxh6kjv |
| Application class | com.erupt.defense.Scementplanet |
Related Families¶
FvncBot's multi-stage deployment chain with DexClassLoader and encrypted assets follows a pattern similar to PixPirate, which also uses a dropper/payload split to avoid Play Store detection. The accessibility-centered remote control with live screen streaming via WebSocket places FvncBot alongside TsarBot, Octo, and Hook in the VNC-style banking trojan category. The binary protocol with 24+ commands is comparable to TsarBot's ~30-command WebSocket architecture.
The overlay injection supporting multiple overlay types (URL, HTML, black-screen) is a pattern shared with GodFather and Hook. FCM-based command delivery, used here for push-based overlay triggers, is an approach also seen in KoSpy and FireScam for C2 communication.
FvncBot's Polish banking focus, impersonating SGB, Alior, and Paribas, overlaps with TsarBot's target list which also includes Polish banking apps among its 750+ targets.