Multi-threat Android Malware Sturnus Steals Signal, Whatsapp Messages

A new Android banking trojan named Sturnus can capture communication from end-to-end encrypted messaging platforms like Signal, WhatsApp, and Telegram, as well as take complete control of the device.

Although still under development, the malware is fully functional and has been configured to target accounts at multiple financial organizations in Europe by using "region-specific overlay templates."

Sturnus is a more advanced threat than current Android malware families, using a mix of plaintext, RSA, and AES-encrypted communication with the command-and-control (C2) server.

A report from online fraud prevention and threat intelligence solutions ThreaFabric explains that Sturnus can steal messages from secure messaging apps after the decryption stage by capturing the content from the device screen.

The malware can also steal banking account credentials using HTML overlays and includes support for full, real-time remote control via VNC session.

Based on the indicators of compromise in ThreatFabric's report, the malware is likely disguised as Google Chrome or Preemix Box applications. However, the researchers have not discovered how the malware is distributed.

After installation, the malware connects to the C2 infrastructure to register the victim via a cryptographic exchange.

It establishes an encrypted HTTPS channel for commands and data exfiltration, and an AES-encrypted WebSocket channel for real-time VNC operations and live monitoring.

By abusing the Accessibility services on the device, Sturnus can start reading on-screen text, capture the victim's inputs, observe the UI structure, detect app launches, press buttons, scroll, inject text, and navigate the phone.

To gain full control of the device, Sturnus obtains Android Device Administrator privileges, which let it keep track of password changes and unlock attempts, and lock the device remotely.

Source: BleepingComputer