A new and sophisticated banking malware named Sturnus is posing a significant threat to mobile users, particularly across Europe. Discovered by security researchers, this Android trojan exhibits an alarming ability to intercept encrypted communications from popular messaging applications like Signal and WhatsApp, effectively bypassing security measures by capturing content directly from the device screen after decryption. This marks a serious advancement in mobile banking threats, as Sturnus combines credential theft with extensive remote access capabilities, allowing attackers to gain full control of a victim’s device.
The Sturnus malware operates by deploying convincing fake login screens that precisely mimic legitimate banking applications, designed to trick users into divulging their sensitive banking credentials. What elevates Sturnus beyond many other mobile malware threats is its capacity for full device takeover. Attackers can remotely monitor all user activity without needing physical interaction. This includes the ability to inject text messages, intercept communications, and even black out the device screen while fraudulent transactions occur in the background, leaving victims unaware of the compromise.
Sturnus Malware: A Deep Dive into Advanced Mobile Banking Threats
Threat Fabric, a cybersecurity analysis firm, identified Sturnus as a privately operated trojan currently in an early testing phase. Attacks have already been configured and a limited number of campaigns have been launched targeting financial institutions across Southern and Central Europe. Despite its limited deployment, researchers emphasize that Sturnus is fully functional and, in certain aspects, demonstrates capabilities that surpass many established malware families, particularly concerning its communication protocol and device support.
The modular nature and targeted geographic focus of Sturnus suggest that its operators are refining their tools and strategies before potentially launching broader, more widespread operations. The current threat landscape indicates a deliberate regional targeting approach, with Sturnus.A utilizing tailored overlay templates specifically designed for victims in Southern and Central European countries. The operators are clearly intent on compromising secure messaging platforms, actively testing the trojan’s efficacy in capturing sensitive communications across a variety of environments.
The relatively low number of detected samples and the intermittent nature of the campaigns, rather than sustained large-scale activity, point to the operation still being in evaluation and tuning stages. This phase allows for adjustments to be made before a more comprehensive rollout, making it crucial for users to remain vigilant.
Understanding the Sturnus Communication Protocol
The complexity and dynamic nature of the malware’s communication structure are reflected in its name, Sturnus, which is inspired by the chaotic and varied vocalizations of the common starling (Sturnus vulgaris) bird. Sturnus exhibits a similar complexity through its layered communication, employing a mix of plaintext, RSA, and AES encryption that shifts unpredictably between simple and intricate message exchanges.
The malware establishes a connection with its command-and-control (C2) server utilizing both WebSocket (WSS) and HTTP channels. It transmits a combination of encrypted and plaintext data, with a primary reliance on WebSocket connections for these communications. The initial technical handshake begins with an HTTP POST request where the malware registers the compromised device, often using a placeholder payload.
Following this registration, the C2 server responds by providing a unique UUID client identifier and an RSA public key. Subsequently, the malware generates a 256-bit AES key locally. This AES key is then encrypted using RSA/ECB/OAEPWithSHA-1AndMGF1Padding before being transmitted back to the server. The plaintext AES key is also stored locally on the device in a Base64 format for subsequent use.
Once this key exchange process is successfully completed, all subsequent communication between the malware and the C2 server is protected through AES/CBC/PKCS5Padding, utilizing the previously established 256-bit encryption key. The trojan generates fresh 16-byte initialization vectors for each individual message. These vectors are prepended to the encrypted payloads. The final encrypted results are then wrapped within custom binary protocols that include message type headers, data indicating the message length, and the client UUIDs.
This sophisticated encryption scheme underscores the expertise of the Sturnus developers in implementing secure communication practices while simultaneously facilitating malicious functionality. The continuous development and adaptation of such malware highlight the ongoing cat-and-mouse game between cybercriminals and security researchers.
Given the advanced capabilities of Sturnus, including its ability to steal credentials and gain full device control, users are advised to maintain updated security software on their Android devices and to exercise extreme caution when installing new applications or clicking on suspicious links. The focus on Southern and Central Europe suggests a targeted but evolving threat, and users in these regions should be particularly vigilant. Continued monitoring by security firms will be crucial to track the malware’s development and any expansion of its campaign scope.