A sophisticated new Android banking trojan, dubbed Sturnus, has emerged, capable of silently stealing encrypted chat messages and gaining complete control over infected devices. Cybersecurity researchers have revealed that Sturnus bypasses standard encryption by capturing screen content after decryption, targeting popular messaging apps like WhatsApp, Telegram, and Signal. The malware also employs overlay attacks, presenting fake login screens to harvest banking credentials, and can even mimic system updates to mask malicious activities.

Key Takeaways

• Encrypted Chat Interception: Sturnus captures decrypted chat content directly from the device screen, compromising messages from WhatsApp, Telegram, and Signal.

• Device Takeover Capabilities: The trojan can stage overlay attacks with fake banking login screens and abuse accessibility services for credential theft and remote control.

• Stealthy Operation: It employs tactics like mimicking system updates and disabling overlays after successful credential harvesting to avoid user suspicion.

• Resilience: Sturnus actively prevents uninstallation by detecting and blocking attempts to disable its administrator status.

• Targeted Attacks: The malware is designed to target financial institutions in Southern and Central Europe, with region-specific overlays.

How Sturnus Operates

Once installed, Sturnus establishes communication with a remote server via WebSocket and HTTP channels. It registers the compromised device and receives encrypted payloads. A key feature is its ability to leverage Android's accessibility services. This allows it to monitor user interactions, capture keystrokes, and record screen activity. When a banking app overlay is presented and credentials are stolen, the overlay is promptly removed to prevent detection.

Advanced Deception Tactics

Sturnus employs advanced techniques to deceive users and maintain control. It can display a full-screen overlay that completely blocks visual feedback, impersonating an Android operating system update. This ruse allows attackers to perform malicious actions in the background unnoticed. Furthermore, the trojan can reconstruct the user interface layout on the attacker's end, enabling them to remotely execute actions like clicks, text input, and app launches.

Protection Against Removal

The malware is designed to be highly resistant to removal. It monitors device settings and actively navigates away from screens that could lead to the revocation of its administrator privileges. This makes both standard uninstallation and removal via tools like ADB difficult until its administrator rights are manually revoked.

Broader Implications

While currently assessed to be in an evaluation stage and with limited spread, the sophisticated capabilities of Sturnus suggest attackers are refining their tools for potentially larger, more coordinated operations. The combination of targeted geography and focus on high-value financial applications highlights the evolving threat landscape for Android users.

Sources

• New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices, The Hacker News.