A new Android banking knight has emerged who combines traditional overlapping attacks with a stealth hidden virtual network network (VNC) to obtain a complete remote control of compromise devices.
Detected for the first time at the end of September 2025, malware is distributed through phishing campaigns based on SMS which attract the victims of the installation of a false “security” application.
Once the necessary authorizations have been granted, the Troy crypt its payload, escaping static detection and initiated a background VNC server which remains invisible for the user launcher.
Cleafy analysts identified Malware after observing unusual network traffic from several mobile users from several European banks. During installation, the Troy immediately requests the accessibility and privileges of the device administrator under the cover of optimization of the device performance.
These authorizations allow him to intercept the touch entry, to capture information on the screen and to silently make borgees of false on legitimate banking applications.
At the same time, the VNC module initializes a hidden framebuffer, allowing actors to threaten to visualize and manipulate the device remotely in real time.
Although the superposition -based banking horses have been around for years, the integration of this new strain of a headless VNC server represents a significant escalation.
Rather than relying solely on screen superimpositions, attackers can now navigate the device interface as if they held it in their hand – by opening applications, entering punctual passwords and installing additional useful loads.
The first cases suggest that the victims remain ignored by the distant session, because the Troy deletes all visual indicators and records user interactions to mix with legitimate activity.
Once rooted, the Troy uses multiple persistence tactics. He records a diffusion receiver for Boot_Complete to restart the VNC service on the restart of the device and clings to accessibility to monitor changes in the screen status.
Malware also deactivates Google Play Protect by using hidden system APIs, preventing updates or analyzes that could disrupt its operations.
These defense layers guarantee that remote access remains active until manually removed – a task complicated by the Trojan’s ability to hide its icon and camouflage itself under the names at the level of the system.
Infection mechanism
The infection chain begins with a deceptive SMS message containing a download link to an APK Trojanized called “Bankguard.apk”.
When the user installs this package, he is invited to activate two critical authorizations: the accessibility of the reserve and the device administrator.
The following extract illustrates how the Troy invokes the request for authorization for accessibility: –
Intent intent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);
context.startActivity(intent);Once granted, malware records its accessibility service by programming: –
With these hooks in place, the Troy silently launches its VNC server: –
VNCServer vnc = new VNCServer(context);
vnc.startServer(5900); // Standard VNC portThis headless server captures Framebuffer data and listens to incoming remote control controls.
The attackers connect using standard VNC customers, winning an interactive control without hindrances on the victim’s device.
Thanks to this mechanism, the Troy bypasses traditional superposition detection by completely avoiding the injection of user interface, by relying rather on a real touch emulation via remote controls.
Follow us Google News,, LiendinAnd X To get more instant updates,, Define CSN as a favorite source in Google.
