Ethical Hacking News
New Android Banking Trojan Sturnus Captures Encrypted Chats and Hijacks Devices with Stealthy Overlays and Remote Control Mechanisms
Sturnus is a new Android banking trojan with stealthy features that enable it to bypass encrypted messaging, hijack devices, and conduct financially malicious activities. The malware targets financial institutions across Southern and Central Europe with region-specific overlays. Sturnus utilizes a mixed communication pattern using plaintext, AES, and RSA encryption methods. The malware can serve fake overlays for banking apps to capture victims' credentials and gather chat contents from popular messaging services. Sturnus uses an alternate remote control mechanism that mirrors the device screen in real-time. Threat actors can collect sensor information, network conditions, hardware data, and installed app inventory using Sturnus's extensive environment monitoring capabilities.
The mobile security landscape has recently witnessed the emergence of a new Android banking trojan dubbed Sturnus, which boasts an array of stealthy features that enable it to bypass encrypted messaging, hijack devices, and conduct financially malicious activities. According to cybersecurity researchers at ThreatFabric, this malware is designed to specifically target financial institutions across Southern and Central Europe with region-specific overlays, thereby making it a significant threat to regional financial security.
In terms of its operational mechanism, Sturnus utilizes a mixed communication pattern that blends plaintext, AES, and RSA encryption methods, which has been likened to the European starling (binomial name: Sturnus vulgaris), known for its ability to mimic various whistles. The malware initiates contact with a remote server over WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel to allow threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.
Furthermore, Sturnus is capable of serving fake overlays for banking apps to capture victims' credentials and abusing Android's accessibility services to gather chat contents from Signal, Telegram, and WhatsApp, as well as send details about every visible interface element on the screen. These features allow attackers to reconstruct the layout at their end and remotely issue actions related to clicks, text input, scrolling, app launches, permission confirmations, and even enable a black screen overlay.
Another notable feature of Sturnus is its use of an alternate remote control mechanism that utilizes the system's display-capture framework to mirror the device screen in real-time. The malware also includes a mechanism for monitoring device activity and detecting attempts by users to disable its administrator status through accessibility monitoring, which allows it to automatically navigate away from settings screens to interrupt the user.
The extensive environment monitoring capabilities of Sturnus make it possible to collect sensor information, network conditions, hardware data, and an inventory of installed apps. This device profile serves as a continuous feedback loop, enabling attackers to adapt their tactics to sidestep detection. ThreatFabric has noted that the malware's current stage of operation is limited but implies that the attackers are refining their tooling ahead of broader or more coordinated operations.
The distribution artifacts for Sturnus include Google Chrome ("com.klivkfbky.izaybebnx") and Preemix Box ("com.uvxuthoq.noscjahae"). The malware's name, Sturnus, is a nod to its use of this mixed communication pattern blending encryption methods, as well as the European starling's ability to mimic various whistles.
The emergence of Sturnus highlights the evolving threat landscape in the world of mobile security and underscores the importance of vigilance against sophisticated banking trojans that employ stealthy features such as overlay attacks and remote control mechanisms. As cybersecurity researchers continue to track and analyze this malware, it is clear that user awareness and robust security measures will be essential in mitigating the impact of such threats.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Banking-Trojan-Sturnus-Captures-Encrypted-Chats-and-Hijacks-Devices-with-Stealthy-Overlays-and-Remote-Control-Mechanisms-ehn.shtml
https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html
Published: Thu Nov 20 06:06:09 2025 by llama3.2 3B Q4_K_M
