A new Android banking trojan named Sturnus can capture communication from end-to-end encrypted messaging platforms like Signal, WhatsApp, and Telegram, as well as take complete control of the device.
Although still under development, the malware is fully functional and has been configured to target accounts at multiple financial organizations in Europe by using "region-specific overlay templates."
Sturnus is a more advanced threat than current Android malware families, using a mix of plaintext, RSA, and AES-encrypted communication with the command-and-control (C2) server.
Full Android device takeover
A report from online fraud prevention and threat intelligence solutions ThreaFabric explains that Sturnus can steal messages from secure messaging apps after the decryption stage by capturing the content from the device screen.
The malware can also steal banking account credentials using HTML overlays and includes support for full, real-time remote control via VNC session.
ThreatFabric told BleepinComputer that the infection starts with downloading malicious Android APK files disguised as Google Chrome or Preemix Box applications.
The researchers have not discovered how the malware is distributed but they believe that malvertising or direct messages are likely methods.
After installation, the malware connects to the C2 infrastructure to register the victim via a cryptographic exchange.
It establishes an encrypted HTTPS channel for commands and data exfiltration, and an AES-encrypted WebSocket channel for real-time VNC operations and live monitoring.
... continue reading