A new Android banking trojan has emerged that combines traditional overlay attacks with a stealthy hidden Virtual Network Computing (VNC) server to achieve full remote control of compromised devices.
First detected in late September 2025, the malware is distributed through SMS-based phishing campaigns that lure victims into installing a fake “security” app.
Once granted the necessary permissions, the trojan encrypts its payload, evading static detection, and initiates a background VNC server that remains invisible to the user’s launcher.
Cleafy analysts identified the malware after observing unusual network traffic from several European banks’ mobile users. Upon installation, the trojan immediately requests Accessibility and Device Administrator privileges under the guise of optimizing device performance.
.webp)
These permissions allow it to intercept touch input, capture screen information, and silently render bogus overlays on legitimate banking applications.
At the same time, the VNC module initializes a hidden framebuffer, enabling threat actors to remotely view and manipulate the device in real time.
While overlay-based banking trojans have been around for years, this new strain’s integration of a headless VNC server represents a significant escalation.
Rather than relying solely on screen overlays, attackers can now navigate the device interface as if they were holding it in their hand—opening apps, entering one-time passwords, and installing additional payloads.
.webp)
Early cases suggest that victims remain unaware of the remote session, as the trojan suppresses all visual indicators and logs user interactions to blend with legitimate activity.
Once entrenched, the trojan employs multiple persistence tactics. It registers a broadcast receiver for BOOT_COMPLETED to restart the VNC service on device reboot and hooks into the AccessibilityService to monitor screen state changes.
The malware also disables Google Play Protect by exploiting hidden system APIs, preventing updates or scans that might disrupt its operations.
These layers of defense ensure that the remote access remains active until manually removed—a task complicated by the trojan’s ability to hide its icon and camouflages itself under system-level names.
Infection Mechanism
The infection chain begins with a deceptive SMS message containing a download link to a trojanized APK named “BankGuard.apk.”
When the user installs this package, they are prompted to enable two critical permissions: AccessibilityService and Device Administrator.
The following snippet illustrates how the trojan invokes the Accessibility permission request:-
Intent intent = new Intent(Settings.ACTION_ACCESSIBILITY_SETTINGS);
context.startActivity(intent);Once granted, the malware programmatically registers its AccessibilityService:-
<service android: name=".StealthAccessibilityService"
android: permission="android.permission.BIND_ACCESSIBILITY_SERVICE">
<intent-filter>
<action android:name="android.accessibilityservice.AccessibilityService" />
</intent-filter>
<meta-data
android: name="android.accessibilityservice"
android:resource="@xml/accessibilityservice_config" />
</service>With these hooks in place, the trojan silently launches its VNC server:-
VNCServer vnc = new VNCServer(context);
vnc.startServer(5900); // Standard VNC portThis headless server captures framebuffer data and listens for incoming remote control commands.
Attackers connect using off-the-shelf VNC clients, gaining unfettered interactive control over the victim’s device.
.webp)
Through this mechanism, the trojan bypasses traditional overlay detection by avoiding UI injection altogether, relying instead on genuine touch emulation via remote commands.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post New Android Banking Trojan Uses Hidden VNC to Gain Complete Remote Control Over Device appeared first on Cyber Security News.