 (3).png)
1 month ago
3
ARTICLE AD BOX
A new type of Android banking trojan has emerged that can bypass encrypted messaging apps like WhatsApp, Telegram and Signal to steal users’ banking credentials. As per security researchers at ThreatFabric, the new trojan, called Sturnus, possesses dangerous abilities even though it is still in its testing phase.
The researchers warn that Sturnus has already been configured with targets against financial institutions across Southern and Central Europe, suggesting that preparations for a broader campaign are underway. The malware is also said to be more advanced than current and more established malware families in areas like communication protocol and device support.
The name “Sturnus” was inspired by Sturnus vulgaris (the European Starling), a medium-sized passerine bird known for its rapid, irregular vocal patterns. Researchers drew the parallel because the malware’s communication protocol switches unpredictably between simple and complex messages, resembling the bird’s rapid, irregular chatter.
How does Sturnus work?
As mentioned earlier, Sturnus possesses the ability to bypass end-to-end encryption on messaging apps like WhatsApp, Signal and Telegram. The malware does not “hack” the encryption protocol itself but instead abuses the Accessibility Services settings on Android.
Sturnus reads the messages directly from the user’s screen after the phone decrypts them. This means it can monitor incoming and outgoing messages in real time and view information like contact lists and full conversation threads.
The researchers say that Sturnus “monitors the foreground app and automatically activates its UI-tree collection whenever the victim opens encrypted messaging services such as WhatsApp, Signal or Telegram.”
Sturnus disguises itself as legitimate apps like “Google Chrome’’ or “Preemix Box’’ in order to trick users into installing it.
How does it commit financial fraud?
Researchers explain that Sturnus is designed to commit financial fraud using two primary methods:
1) Fake login screens
Attackers show a fake banking screen on top of the legitimate app. So when the user types their username and password, they are actually giving them to the attackers and not the bank.
2) The “Black Screen’’ attack
When hackers want to perform a transaction remotely on the victim’s device, they trigger a “Black Screen’’ overlay where the user’s phone goes dark, making them believe the device is turned off or sleeping. Instead, the hackers operate the phone in the background and drain the funds without the victim realising what is happening.
Sturnus can fight back
The researchers also warned that Sturnus is programmed to stay on the victim’s phone aggressively by using the device’s Administrator privileges to prevent uninstallation.
The malware constantly checks battery levels, sensors and network status to determine if it is being analysed by security researchers. If it thinks it is being watched, it may hide its behaviour.
Moreover, if the user tries to uninstall the app or revoke its permissions in settings, the malware detects this and automatically clicks ‘back’ or closes the window.
“Sturnus maintains extensive situational awareness through a broad environmental monitoring subsystem designed to ensure long-term resilience on the device,” the researchers warned.
English (US) ·