Cybersecurity researchers have revealed new details about a banking trojan for Android called Sturnus, designed for credential theft and complete control of devices with the aim of carrying out financial fraud. According to the ThreatFabric report shared with The Hacker News, Sturnus is distinguished by its ability to bypass encryption in messaging applications, thus allowing attackers to monitor communications on platforms like WhatsApp, Telegram, and Signal.
Beware of Trojans!
One of the most alarming features of this trojan is its ability to insert fake login screens that overlay banking applications, making it easier to capture credentials from unsuspecting users. Its operation is based on a mixed communication mechanism that combines plain text, as well as AES and RSA encryption. This has led experts to point out that its name, Sturnus, refers to the European starling, known for its mimicking ability and diverse vocalizations.
Once activated, Sturnus establishes a WebSocket channel to register the device and receive encrypted payloads. This channel also allows for remote interaction with the compromised device during Virtual Network Computing (VNC) sessions. Additionally, the malware abuses Android’s accessibility services to capture keystrokes and record user interactions.
The trojan can block visual feedback through a full-screen overlay that simulates an operating system update, diverting the user’s attention while carrying out malicious actions. Although its distribution remains limited, its geographical focus on financial institutions in Southern and Central Europe suggests that attackers are refining their tools for broader operations in the future. The extensive monitoring capabilities it allows could facilitate adaptive tactics to evade detection.