Cybersecurity researchers have revealed details of a new Android banking Trojan called Sturnus that can steal credentials and take over entire devices to perform financial fraud.
“A key differentiator is the ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”
Another notable feature is the ability to perform overlay attacks in stages by providing a fake login screen on a banking app to capture the victim’s credentials. According to the Dutch mobile security company, Sturnus is privately operated and currently rated as being in the evaluation stage. Artifacts that distribute banking malware include:
Google Chrome (“com.klivkfbky.izaybebnx”) Preemix Box (“com.uvxuthoq.noscjahae”)
The malware is designed to specifically identify financial institutions in Southern and Central Europe using region-specific overlays.
The name Sturnus pays homage to its use of a mixed communication pattern that combines plaintext, AES, and RSA, which ThreatFabric likens to the European starling (Sturnus vulgaris), which is known to incorporate various whistles to imitate its voice.
Once launched, the Trojan connects to a remote server via WebSocket and HTTP channels, registers the device, and receives an encrypted payload. It also establishes a WebSocket channel to allow threat actors to interact with compromised Android devices during virtual network computing (VNC) sessions.
In addition to providing a fake overlay for banking apps, Sturnus can also exploit Android’s accessibility services to capture keystrokes and record user interface (UI) interactions. As soon as the banking overlay is provided to the victim and the credentials are collected, the overlay for that particular target is disabled to avoid arousing user suspicion.
In addition, it can block all visual feedback and display a full-screen overlay that mimics the Android operating system update screen, giving the user the impression that a software update is in progress, when in fact malicious actions may be performed in the background.
Other features of the malware include support for device activity monitoring, the ability to leverage accessibility services to collect chat content from Signal, Telegram, and WhatsApp, and send details about all interface elements visible on the screen.
This allows the attacker to finally rebuild the layout and remotely issue actions related to clicks, text input, scrolling, app launches, permission checks, or enable black screen overlays. An alternative remote control mechanism built into Sturnus uses the system’s display capture framework to mirror the device’s screen in real time.
“When a user navigates to a settings screen that could potentially disable administrator status, the malware detects the attempt through accessibility monitoring, identifies the relevant controls, and automatically navigates away from the page to disturb the user,” ThreatFabric said.
“The malware is strongly protected against cleanup attempts, as both normal uninstallation and removal by tools such as ADB are blocked until administrative privileges are manually revoked.”
Extensive environmental monitoring capabilities allow you to collect sensor information, network status, hardware data, and installed app inventory. This device profile acts as a continuous feedback loop, helping attackers adapt their tactics and evade detection.
“While proliferation remains limited at this stage, the combination of targeted geographies and high-value application focus suggests threat actors are refining their tools ahead of broader or more coordinated operations,” ThreatFabric said.
Source link
