Analysis of FvncBot campaign

CERT Polska analyzed a multi-stage Android malware campaign (FvncBot) that lures victims with bank-themed apps to sideload a hidden accessibility implant; the chain includes a runtime Dex loader, an installer that writes a second-stage APK (com.core.town), and a hidden asset decrypted with an RC4-like key to yield the final classes.dex. The final implant enrolls devices to attacker-controlled backends (jeliornic.it.com), supports remote control via FCM/websockets (gestures, key events, overlays), keylogging, UI-tree exfiltration, screen streaming, and overlays for credential capture; the report includes file hashes, package names, network endpoints, and mitigation advice.