Ethical Hacking News
A new Android banking trojan called Sturnus has been discovered, targeting secure messaging apps such as WhatsApp, Telegram, and Signal, making it a significant threat to global financial security.
Sturnus is a highly sophisticated Android banking trojan that targets secure messaging apps. The malware allows attackers to steal banking credentials, remotely control infected devices, and hide fraudulent actions from the user. Sturnus steals data through HTML overlays and accessibility-based keylogging. The malware enables full remote control of infected devices using screen mirroring and VNC RFB protocol. Sturnus strengthens persistence by securing Device Administrator rights and monitoring system changes.
The threat landscape of cybercrime has been expanding exponentially in recent years, with malicious actors continually adapting and improving their tactics. The latest development in this cat-and-mouse game is the emergence of a new Android banking trojan called Sturnus. This highly sophisticated malware targets secure messaging apps such as WhatsApp, Telegram, and Signal, making it a significant threat to global financial security.
Sturnus is a full device-takeover banking trojan that allows attackers to steal banking credentials, remotely control infected devices, and hide fraudulent actions from the user. The malware mimics the erratic chatter of the Sturnus vulgaris, switching unpredictably between plaintext, RSA, and AES messages. This unpredictable behavior makes it difficult for users to detect the malicious activity.
The malicious code registers devices via HTTP POST, receives a UUID and RSA key, then generates a local AES-256 key, encrypts it with RSA, and stores it in Base64. After key exchange, it encrypts all messages with AES/CBC/PKCS5Padding, prepends a fresh IV, and wraps data in a custom protocol.
Sturnus steals data through two linked mechanisms: HTML overlays and accessibility-based keylogging. It stores phishing templates for targeted banking apps and displays them via a WebView that captures all input and sends it to the C2. After exfiltration, it disables the used overlay to avoid detection. A full-screen block overlay can hide its activity.
The malware also enables full remote control of infected devices using two complementary capture methods: real-time screen mirroring through Android's display-capture framework and a fallback system that builds screenshots from Accessibility events when standard capture fails. A native library then manages the session through the VNC RFB protocol. The malware also sends a structured map of all on-screen elements, tracking clicks, text input, scrolling, and app launches without using images.
This method uses less bandwidth, avoids screen-capture alerts, and works even on hidden or protected elements. Sturnus strengthens persistence by securing Device Administrator rights, monitoring unlock events, blocking attempts to revoke privileges, and preventing removal. A large monitoring subsystem tracks system changes, connectivity, power states, SIM swaps, app installs, rooting signs, and developer settings.
Sturnus profiles sensors, hardware, and networks to adapt its tactics, evade analysis, and keep long-term control of the device. This sophisticated threat represents a significant challenge for cybersecurity professionals and users alike.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Sturnus-Android-Banking-Trojan-A-Sophisticated-Threat-to-Global-Financial-Security-ehn.shtml
https://securityaffairs.com/184878/cyber-crime/sturnus-new-android-banking-trojan-targets-whatsapp-telegram-and-signal.html
https://www.securityweek.com/new-sturnus-banking-trojan-targets-whatsapp-telegram-signal-messages/
https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/
Published: Thu Nov 20 15:38:07 2025 by llama3.2 3B Q4_K_M
