Security researchers have uncovered a dangerous new Android banking trojan that can bypass the end-to-end encryption of popular messaging applications including WhatsApp, Signal, and Telegram. The malware, named Sturnus, represents a significant threat to mobile banking security across Europe and potentially globally.
What is Sturnus Malware?
According to cybersecurity firm ThreatFabric, Sturnus possesses sophisticated capabilities despite still being in its testing phase. The malware has already been configured to target financial institutions throughout Southern and Central Europe, indicating preparations for a widespread attack campaign.
Researchers note that Sturnus appears more advanced than established malware families in critical areas such as communication protocols and device support. The name Sturnus derives from Sturnus vulgaris, the European Starling bird known for its rapid and irregular vocal patterns. This naming reflects the malware's unpredictable communication style that switches between simple and complex messages.
How Sturnus Bypasses Encryption
Sturnus employs a clever approach to circumvent the strong encryption protecting messaging platforms. Rather than attempting to break the encryption protocols directly, the malware abuses Android's Accessibility Services to read messages directly from the user's screen after the device has decrypted them.
The trojan monitors which application is currently active on the device and automatically begins collecting interface data when victims open encrypted messaging services. This allows attackers to view incoming and outgoing messages in real-time, along with contact lists and complete conversation histories.
Financial Fraud Techniques and Self-Protection
Sturnus utilizes two primary methods to commit financial fraud. First, it displays fake banking login screens superimposed over legitimate banking applications. When users enter their credentials, they unknowingly provide them directly to attackers rather than their financial institution.
The second technique, known as the Black Screen Attack, involves hackers triggering a dark overlay on the victim's device screen while remotely conducting transactions in the background. Users mistakenly believe their phone has turned off or entered sleep mode while criminals systematically drain their accounts.
Perhaps most concerning is Sturnus's aggressive self-preservation capabilities. The malware uses device Administrator privileges to prevent removal and constantly monitors battery levels, sensors, and network status to detect security analysis attempts. If it suspects monitoring, the malware can hide its behavior. It even automatically clicks back or closes windows when users attempt to uninstall it or revoke permissions.
Security experts warn that Sturnus maintains extensive environmental awareness through a sophisticated monitoring subsystem designed to ensure long-term persistence on infected devices. This represents a significant escalation in mobile malware sophistication that demands increased user vigilance.
