The cybersecurity community has put the spotlight on Sturnus, a banking trojan for Android This threat combines financial fraud techniques with communications espionage. It can read WhatsApp, Telegram, or Signal conversations immediately after the apps decrypt them on the device, and also gives attackers almost complete remote control of the terminal.
ThreatFabric researchers describe a software fully functional, although still in an early stagewith the ability to steal credentials through overlay screens, record keystrokes, and remotely operate the mobile device. So far, its activity has been detected primarily in Central and Southern Europe, an environment where users and financial institutions must exercise extreme caution. other threats such as PlayPraetor.
What is Sturnus and how does it work?
The key to Sturnus' success lies in the Abuse of the Android Accessibility Servicewhich allows you to see the same thing as the user on screen and highlights the importance of controlling sideloading in AndroidThus, when a messaging app is opened, the malware waits for the content to appear and captures it, effectively bypassing end-to-end encryption without breaking it.
In addition to spying on chats, this Trojan deploys overlay attacks These apps mimic mobile banking logins to steal credentials. They can monitor which app is in the foreground, record typed text, and display fake forms to trick victims.
Another pillar of Sturnus's arsenal is his VNC type remote control moduleThrough an encrypted channel, the attacker can press buttons, type, navigate menus, approve transactions, or change settings. To conceal their activity, they use visual tricks such as covering the screen with a black overlay or displaying a fake system update while operating in the background.
The impact goes beyond password theft: the possibility of read shared conversations and documents It exposes users to added risks, such as blackmail or subsequent fraud, while facilitating stealthy movements within the compromised device.
Infection vector and communication with the server
The detected infections begin when the victim installs a Malicious APK camouflaged as legitimate appssuch as Google Chrome or an app called Preemix Box. Although the exact method varies, phishing campaigns have been observed, and the use of malvertising to drive downloads from outside the official store is suspected.
Once inside, Sturnus requests permission from Accessibility Service and Device Administrator PrivilegesWith that combination, it can read text on the screen, simulate gestures, record inputs, and make its uninstallation extremely difficult, remaining persistent on the system.
The malware performs an initial registration with its command and control (C2) infrastructure and establishes mixed communication channelsIt combines plaintext exchanges with RSA and AES encryption depending on the phase of the operation. Connections via HTTPS and an additional channel using encrypted WebSocket for real-time commands and data exfiltration have been observed.
According to ThreatFabric, Sturnus displays a modular architecture and sustainable developmentThis model, allegedly managed by a private company, facilitates rapid updates, the integration of new features, and adaptation to defensive measures, including the silent installation or removal of apps.
Scope in Europe and protection measures
For now, Sturnus operators seem to be focusing on clients of financial institutions in Central and Southern Europewith low-volume campaigns suggesting a testing phase before wider expansion. Nevertheless, the observed capabilities place it among the most complex mobile threats currently available.
If the trials are successful, it's possible the malware will attempt expand its scope of action to other European countries, including the Spanish market, taking advantage of its screen access and controls to bypass security and multi-factor barriers.
Recommendations traineeships to reduce the risk:
- Avoid installing APKs from outside of Google Play and be wary of download links received via SMS, email or messaging.
- Review and limit the permissions of Accessibility Service strictly necessary apps.
- Keep your system and apps updated, active Play Protect and check permits granted regularly.
- Activate additional secure banking measures: 2FA/MFA, activity alerts and out-of-band validations.
If you suspect something, it's best to act quickly: disconnect data temporarily, notify the bank to block transactions, analyze the device with a reputable solution, revoke accessibility permissions and, if indications persist, consider a factory reset and changing passwords.
The combination of reading messages after decryption, live remote control, and convincing bank overlays This makes Sturnus a formidable enemy. Although its operatives are still proceeding cautiously in Europe, the breadth of its techniques necessitates heightened vigilance and the implementation of best practices before its campaigns gain scale.
