Ethical Hacking News
A new Android banking trojan named Sturnus has been detected, capable of stealing messages from end-to-end encrypted messaging platforms such as Signal, WhatsApp, and Telegram. This malware uses the Accessibility services on the device to capture sensitive information and gain full control over the device. With its sophisticated capabilities and potential for widespread deployment, Sturnus is a growing threat to user privacy that should not be taken lightly.
The new Android banking trojan Sturnus has sophisticated capabilities to steal messages from end-to-end encrypted messaging platforms. Sturnus evades traditional security measures by abusing Accessibility services on the device, allowing it to capture inputs and observe UI structure. The malware can sidestep end-to-end encryption by accessing messages after they are decrypted by the legitimate app, compromising user privacy and security. Sturnus establishes an encrypted HTTPS channel for commands and data exfiltration, as well as an AES-encrypted WebSocket channel for real-time VNC operations and live monitoring. The malware is disguised as Google Chrome or Preemix Box applications, using APKs to infect devices. Android users are advised to avoid downloading APK files from outside Google Play, keep Play Protect active, and be cautious with Accessibility permissions. Sturnus has strong protection against cleanup attempts, blocking both uninstallation and removal through tools like ADB until administrator rights are manually revoked.
Recently, a new Android banking trojan named Sturnus has been making headlines for its sophisticated capabilities to steal messages from end-to-end encrypted messaging platforms such as Signal, WhatsApp, and Telegram. This malware, which is still in its early development stage, has been observed to target accounts at multiple financial organizations in Europe by using region-specific overlay templates.
The threat actor behind Sturnus has managed to evade traditional security measures by abusing the Accessibility services on the device. This allows them to capture the victim's inputs, observe the UI structure, detect app launches, press buttons, scroll, inject text, and navigate the phone. Furthermore, they can also start reading on-screen text, making it possible for them to read everything that appears on screen – including contacts, full conversation threads, and the content of incoming and outgoing messages in real-time.
What makes Sturnus particularly dangerous is its ability to sidestep end-to-end encryption by accessing messages after they are decrypted by the legitimate app. This gives the attacker a direct view into supposedly private conversations, compromising user privacy and security.
In terms of its capabilities, Sturnus establishes an encrypted HTTPS channel for commands and data exfiltration, as well as an AES-encrypted WebSocket channel for real-time VNC operations and live monitoring. They also use this to gain full control of the device by obtaining Android Device Administrator privileges, which let them keep track of password changes and unlock attempts.
When it comes to its distribution, Sturnus is disguised as Google Chrome or Preemix Box applications. Infections start by downloading APKs masquerading as these applications. However, researchers have not discovered how the malware is distributed.
In order to prevent falling victim to such threats, Android users are advised to avoid downloading APK files from outside Google Play and keep Play Protect active. Additionally, they should be cautious when granting Accessibility permissions unless truly needed.
Until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection against cleanup attempts.
ThreatFabric has detected Sturnus attacks in low volume, mostly targeting users in Southern and Central Europe. However, this could be an indication that the threat actor is running tests for larger campaigns.
The combination of advanced features commonly found in top-tier Android malware and its "ready to scale" architecture makes Sturnus a dangerous threat to look out for. It is essential for security teams and researchers to stay vigilant and develop new strategies to detect and mitigate such threats before they become widespread.
In conclusion, the discovery of Sturnus highlights the importance of staying updated with the latest security measures and being aware of emerging threats. By understanding how malware like Sturnus operates, we can better protect ourselves against future attacks and ensure our online privacy remains secure.
Related Information:
https://www.ethicalhackingnews.com/articles/Android-Banking-Trojan-Sturnus-Steals-Signal-WhatsApp-Messages-A-Growing-Threat-to-User-Privacy-ehn.shtml
https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/
Published: Thu Nov 20 04:06:25 2025 by llama3.2 3B Q4_K_M
