Sturnus malware is capable of reading encrypted messages in Whatsapp, Signal and Telegram. Photo: CyberInsider.
According to a report from ThreatFabric, Sturnus has been observed in targeted attacks, primarily targeting users in Southern and Central Europe. Researchers believe the malware is still in its early stages of development, likely deployed sporadically for testing rather than in large-scale campaigns. However, its “scalable” architecture makes it a dangerous threat to watch out for.
Mode of infection
The infection process starts when users download malicious Android APK files (applications downloaded from unofficial websites, outside the Google Play store). These APK files are often disguised as legitimate applications, such as Google Chrome or Preemix Box, and users unwittingly install third-party applications containing this Sturnus.
Once installed, Sturnus establishes an encrypted HTTPS channel to transmit commands and leak data.
When a user opens a secure messaging app, the malware detects the app and triggers the UI-tree pipeline. This system allows Sturnus to read all the data displayed on the screen in real time, including the sender name, message content, and timestamp. Since this monitoring is done locally, it disables the protections provided by protocols like the Signal Protocol. This happens without any obvious warning to the user, and the app interface appears normal. This is also the most alarming feature.
Additionally, Sturnus gains administrator privileges on Android devices, allowing it to monitor password changes and unlock attempts, as well as remotely lock the device. The malware is also designed to prevent users from removing privileges or uninstalling software from the device.
Sophisticated theft of banking information
Sturnus can steal banking credentials through fake login screens, using HTML overlays that mimic legitimate banking applications. These overlays are stored locally and are tailored to specific financial institutions.
The malware gives attackers complete, real-time remote control. The remote control allows attackers to monitor all user activities, insert text without physical interaction, perform fraudulent transactions, including transferring money from a banking app, confirming dialog boxes, approving multi-factor authentication screens, changing settings, or installing new apps.
While performing these malicious actions, Sturnus operates with a high degree of anonymity. It can blacken the device screen (activating the black overlay) to hide its ongoing background activity without the victim knowing.
Protection recommendations
To protect against Sturnus, Android users should take the following precautions:
Avoid downloading APK files from outside Google Play or from unknown app developers.
Always turn on Play Protect to scan and remove threats.
Avoid granting Accessibility permissions unless absolutely necessary and check installed apps for Accessibility Service permissions.
- Video you might be interested in: Warning about malware stealing information from images on Android and iPhone. Source: VTV24.
Source: https://doanhnghiepvn.vn/cong-nghe/canh-bao-ma-doc-sturnus-doc-trom-tin-nhan-va-lay-du-lieu-ngan-hang-tren-android/20251128095956316
Comment (0)