A sophisticated new Android banking trojan named Sturnus has been discovered, capable of stealing credentials and enabling full remote control of infected devices. A key feature distinguishing this malware is its ability to bypass encryption on popular messaging apps like WhatsApp, Telegram, and Signal. It accomplishes this by capturing the content directly from the device's screen after the messages have been decrypted for display.
The trojan employs overlay attacks, displaying fake login screens on top of legitimate banking applications to harvest user credentials. It uses a mix of communication protocols, including WebSocket and HTTP, to register with a command server and receive encrypted commands. This allows attackers to initiate Virtual Network Computing (VNC) sessions for real-time interaction with the compromised device.
Sturnus abuses Android's accessibility services to log keystrokes, monitor user interface interactions, and even gather data from open chat applications. To avoid detection, it can display a full-screen overlay that mimics a system update screen while performing malicious actions in the background. The malware also possesses strong persistence mechanisms, blocking uninstallation attempts by automatically navigating away from settings screens that could disable its administrative privileges.
Currently assessed to be in a refinement stage, Sturnus appears to be targeting financial institutions in Southern and Central Europe. Its extensive data collection provides attackers with a detailed device profile, enabling them to adapt their tactics. While its distribution is currently limited, the malware's advanced capabilities suggest attackers are preparing for more widespread and coordinated fraudulent operations.
Read more...