A new and highly advanced Android banking trojan named Sturnus has been discovered by cybersecurity researchers, raising significant concerns due to its comprehensive capabilities for financial fraud. The malware is designed to facilitate both credential theft and complete device takeover. A key feature that sets Sturnus apart is its ability to circumvent the security of encrypted messaging applications like WhatsApp, Telegram, and Signal. It achieves this not by breaking the encryption itself, but by monitoring and capturing the communication content directly from the device screen after the messages have already been decrypted and displayed to the user.
The name Sturnus is derived from the European starling (Sturnus vulgaris), a bird known for its mimicry and varied vocalizations. This naming choice is a metaphor for the malware’s use of a complex, mixed communication pattern that blends standard plaintext with AES and RSA encryption. The trojan, upon launch, immediately connects to a remote command-and-control server using both WebSocket and HTTP channels to register the compromised device. This registration is critical as it allows the server to send back encrypted payloads and establish a persistent WebSocket channel for live interaction during Virtual Network Computing (VNC) sessions, granting threat actors real-time remote access.
Sturnus employs several techniques to execute its malicious goals. Most prominently, it stages overlay attacks by displaying convincing fake login screens over legitimate banking applications to trick victims into entering their credentials. To avoid suspicion, once credentials for a specific bank are harvested, the overlay for that target is subsequently disabled. Beyond overlays, the malware abuses Android’s accessibility services to stealthily record keystrokes and log all UI interactions. It can also display a full-screen overlay that mimics an Android operating system update screen, blocking all visual feedback while allowing the attackers to perform malicious actions undetected in the background.
The trojan is built with extensive remote control and environment monitoring capabilities. It leverages accessibility services to gather the contents of chat messages from encrypted apps and capture details about every visible interface element on the screen. This allows the attackers to virtually reconstruct the device’s layout on their end and remotely issue a wide array of actions, including text input, clicks, scrolling, launching applications, and confirming permissions. An alternate remote control mechanism uses the system’s display-capture framework to mirror the device screen in real-time. This comprehensive environment monitoring also collects information on network conditions, hardware data, sensor details, and an inventory of installed applications, creating a detailed device profile for adaptive attacks.
Reference:
