Be warned, a new Android trojan is on the loose, and it's a stealthy one. Named Sturnus, this banking malware is a serious threat, capable of stealing your credentials and taking over your device for financial fraud. But here's where it gets controversial: it can bypass encrypted messaging, giving it an edge over traditional security measures.
The Encryption Enigma
Sturnus has a unique ability to capture content directly from your device screen after decryption. This means it can monitor your communications on popular encrypted messaging apps like WhatsApp, Telegram, and Signal. How does it do this? By blending a mixed communication pattern, using plaintext, AES, and RSA encryption, much like the European starling, which incorporates a variety of whistles and vocal mimicry.
Hijacking Your Device
Once Sturnus is launched, it connects to a remote server, registering your device and receiving encrypted payloads. It then establishes a WebSocket channel, allowing threat actors to interact with your compromised Android device during VNC sessions. But that's not all; Sturnus can also serve fake login screens, or "overlay attacks," on top of banking apps to capture your credentials. And this is the part most people miss: as soon as it harvests your credentials, it disables the overlay to avoid raising suspicion.
The Stealthy Overlay
Sturnus can display a full-screen overlay, blocking all visual feedback and mimicking an Android operating system update screen. This clever trick makes you think your device is updating, while in reality, it's carrying out malicious actions in the background. It's like a magician's sleight of hand, distracting you with one hand while the other does the real work.
Monitoring and Remote Control
The malware also abuses Android's accessibility services to capture keystrokes and record UI interactions. It can gather chat contents from Signal, Telegram, and WhatsApp, and even send details about every visible interface element on your screen. This allows the attackers to remotely issue actions, from clicks and text input to app launches and permission confirmations. And if that's not enough, Sturnus can also enable a black screen overlay, giving the attackers complete control over your device.
Protection Against Cleanup
Sturnus is designed to maintain its administrator rights, blocking ordinary uninstallation and removal through tools like ADB. Until you manually revoke its administrator status, it remains protected against cleanup attempts. This is a clever tactic, ensuring the malware's persistence on your device.
The Targeted Threat
With its extensive environment monitoring capabilities, Sturnus can collect sensor information, network conditions, hardware data, and an inventory of installed apps. This device profile helps attackers adapt their tactics, making detection even more challenging. And while its spread is currently limited, the targeted geography and focus on high-value applications suggest that the attackers are refining their tools for broader or more coordinated operations.
So, what do you think? Is this a serious threat to Android users? Should we be more concerned about the security of our encrypted messages? Feel free to share your thoughts and opinions in the comments below!
