A new Android trojan could bypass your ‘private’ chats to steal your money

A new Android banking trojan has surfaced, capable of circumventing encrypted messaging applications such as WhatsApp, Telegram, and Signal to extract users' banking credentials. Security researchers from ThreatFabric have identified this malware, named Sturnus, which, despite being in its testing phase, exhibits alarming capabilities. The researchers have highlighted that Sturnus is already configured to target financial institutions throughout Southern and Central Europe, indicating preparations for a potentially widespread cyber campaign. This malware is reportedly more sophisticated than existing malware families, particularly in its communication protocols and device compatibility. The name 'Sturnus' draws inspiration from the Sturnus vulgaris, commonly known as the European Starling, a bird recognized for its erratic vocalizations. This analogy reflects the malware's unpredictable communication methods, which alternate between simple and complex messages. Sturnus can bypass the end-to-end encryption of messaging services not by hacking the encryption itself, but by exploiting Android's Accessibility Services. By reading messages displayed on the user’s screen post-decryption, it can monitor both incoming and outgoing communications in real time, accessing contact lists and full conversation threads. According to the researchers, Sturnus activates its collection mechanisms whenever a user opens encrypted messaging apps, effectively eavesdropping on their communications. The malware masquerades as legitimate applications, such as 'Google Chrome' or 'Preemix Box,' tricking users into downloading it. Aimed at financial fraud, Sturnus employs two primary tactics: it overlays a fake banking interface on top of legitimate apps, capturing login credentials, and triggers a 'Black Screen' overlay during transactions, deceiving users into thinking their device is inactive while siphoning off funds in the background. Additionally, Sturnus is designed to persistently remain on the infected device, utilizing Administrator privileges to obstruct attempts at uninstallation. It continuously monitors battery levels, sensors, and network status to evade detection by security analysts. If it suspects scrutiny, it may conceal its activities. Users attempting to uninstall the app or adjust its permissions may find that the malware automatically intervenes, clicking 'back' or closing the settings window. Researchers have cautioned that Sturnus possesses extensive situational awareness, supported by a comprehensive monitoring framework meant to ensure its long-term presence on compromised devices.