Ddos 
Image: ThreatFabric
MTI Security researchers have identified a sophisticated new threat in the mobile landscape: Sturnus, a privately operated Android banking trojan. This malware is notable not just for its goal of financial fraud, but for its advanced, full device takeover capabilities and a key differentiator: its ability to bypass encrypted messaging.
Sturnus’s most alarming feature is its ability to compromise communications on platforms like WhatsApp, Telegram, and Signal. Instead of attempting to break the network encryption, the trojan uses the Android Accessibility Service to capture screen content after the legitimate app has decrypted it for the user. This gives the attacker a direct, real-time view into supposedly private conversations, contacts, and the content of all incoming and outgoing messages.
As the report from ThreatFabric notes, this capability “completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations“.
The malware is designed for comprehensive fraud. It harvests banking credentials using convincing fake login screens, known as “Overlay attacks“. Attackers are also granted extensive remote control over the infected device. This includes the ability to observe all user activity and, critically, “black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge“. This ‘Black Screen Overlay’ mechanism allows attackers to perform Device Takeover (DTO) fraud while shielding the malicious activity from the victim’s view.
Sturnus leverages both pixel-based screen streaming and a highly efficient UI-tree control layer for its remote sessions. This second method transmits structured descriptions of interface elements, enabling precise actions like clicks and text input with minimal bandwidth and without triggering standard screen-capture indicators.
Although MTI Security indicates the malware is “likely in its pre-deployment state,” it is already fully functional and in some aspects more advanced than established malware families. Sturnus is configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting preparations for a broader campaign.
The trojan ensures its persistence by abusing Android Device Administrator privileges. Once granted, the malware actively monitors when a user attempts to navigate to the settings screen to disable its status and automatically navigates away to block the removal attempt. Furthermore, its command-and-control connection uses a complex and advanced mix of communication protocols (HTTP and WebSocket) with strong AES encryption, enabling real-time command and control and dynamic adaptation of tactics.
Sturnus represents a highly sophisticated and comprehensive threat, combining multiple vectors for near-complete device control and data theft. The malware’s use of keylogging and accessibility features to capture sensitive information, even from encrypted messaging apps, establishes a dangerous new precedent in mobile banking threats.
Related Posts:
- Lazarus Group’s New ScoringMathTea RAT Uses Reflective Plugin Loader and Custom Polyalphabetic Crypto for Espionage
- One Click, 42 Days: Akira Ransomware Used CAPTCHA Decoy to Destroy Cloud Backups and Cripple Storage Firm
- Sophisticated “The Gentlemen” Ransomware RaaS Emerges with XChaCha20 Encryption and 48 Victims in 3 Months
- Trend Micro Fortifies AI Security: Integrates NVIDIA Agentic AI Safety for End-to-End Protection
- Apple Halts iCloud Advanced Data Protection in the UK After Government Demands Backdoor Access
Donate