Researchers from ThreatFabric have discovered a new banking Trojan for Android called Sturnus. Although it is still under development, it is already highly applicable and poses a serious threat.
Sturnus can intercept messages from Signal, *WhatsApp and Telegram after they are decrypted using the system's special screen reading capabilities, bypassing end-to-end encryption.
The Trojan uses an HTML overlay to steal banking data and supports remote control via VNC. The malware disguises itself as Google Chrome or Preemix Box and is distributed through an unknown method. Once installed, Sturnus registers with the command and control server, establishing secure HTTPS and AES WebSocket channels for command and data transfer and VNC access. Once granted device administrator rights, he can monitor password changes, lock the device, and prevent erasure, making erasure difficult without manual reversal.
When a user opens WhatsApp, Telegram or Signal, Sturnus has access to messages, typed texts, contact names and chats in real time, and can even compromise end-to-end encrypted chats.
ThreatFabric demonstrated a fake “Android System Update” window to hide Sturnus activity. Although it has seen limited use to date, its architecture and functionality are consistent with advanced Android Trojans, suggesting the potential for wider adoption.
* Belongs to the company Meta, considered extremist, its activities are banned in Russia.
