Full Report
Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. "A key differentiator is its ability to bypass encrypted messaging," ThreatFabric said in a report shared with The Hacker News. "By capturing content directly from the device screen after decryption, Sturnus can monitor
Analysis Summary
# Tool/Technique: Sturnus
## Overview
Sturnus is a newly identified Android banking trojan designed for credential theft and full device takeover to facilitate financial fraud. Its key differentiator is its advanced capability to bypass standard encrypted messaging security by capturing content directly from the screen *after* decryption, effectively monitoring communications on apps like WhatsApp, Telegram, and Signal.
## Technical Details
- Type: Malware family (Banking Trojan)
- Platform: Android
- Capabilities: Credential harvesting via overlays, screen monitoring, remote control (VNC-like), accessibility service abuse, strong self-protection against removal.
- First Seen: Context implies recent discovery (Report by ThreatFabric shared around Nov 20, 2025).
## MITRE ATT&CK Mapping
The documented behaviors map across several tactics, primarily focusing on Credential Access, Execution, and Defense Evasion.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Implied through accessibility service logging)
- T1555 - Credentials from Password Stores (Relevant to harvested banking credentials)
- **TA0002 - Execution**
- T1204 - User Execution (Initial deployment mechanism not fully detailed, but required for trojan launch)
- **TA0005 - Defense Evasion**
- T1562 - Impair Defenses
- T1562.001 - Disable or Modify System Firewall (Implied in blocking cleanup)
- **TA0011 - Command and Control**
- T1071 - Application Layer Protocol (WebSocket and HTTP communication)
- **TA0008 - Lateral Movement** (Not explicitly detailed, but device takeover implies access for fraud)
## Functionality
### Core Capabilities
- **Encrypted Chat Monitoring:** Captures content from applications like WhatsApp, Telegram, and Signal by reading the decrypted screen buffer.
- **Overlay Attacks:** Stages fake login screens on top of legitimate banking applications to harvest user credentials.
- **Accessibility Service Abuse:** Leverages Android's accessibility services to capture keystrokes, record UI interactions, and gather contents from messaging apps.
- **Protocol Mixing:** Utilizes a mixed communication pattern blending plaintext, AES, and RSA encryption for C2 communication (hence the name nod to *Sturnus vulgaris*).
### Advanced Features
- **Remote Control/VNC Capability:** Establishes a WebSocket channel to allow remote actors to interact with the device during VNC-like sessions.
- **Active Defense Mechanism:** Detects when users navigate to settings that could revoke administrator status via accessibility monitoring, automatically navigating away from those pages to interrupt or block the cleanup attempt.
- **Persistent Administrator Status:** Blocks ordinary uninstallation and removal via ADB until administrator rights are manually revoked.
- **Screen Mimicry:** Can display a full-screen overlay mimicking an Android OS update screen while performing malicious actions in the background.
- **Device Profiling:** Collects extensive environmental data including sensor information, network conditions, hardware details, and installed application inventory for tactical adaptation.
- **Targeted Attacks:** Designed specifically to target financial institutions across Southern and Central Europe using region-specific overlays.
## Indicators of Compromise
- File Hashes: [Not provided in the source text]
- File Names: [Not provided in the source text]
- Registry Keys: [Not applicable/not provided for Android]
- Network Indicators:
- C2 Communication via WebSocket channels.
- C2 Communication via HTTP channels.
- Behavioral Indicators:
- Requesting and abusing Android Accessibility Services.
- Displaying custom overlays over banking applications.
- Attempting to dismiss or navigate away from permission/admin revocation screens.
## Associated Threat Actors
- Privately operated (No specific named APT group mentioned in this excerpt). Currently assessed to be in the evaluation stage.
## Detection Methods
- Signature-based detection: Identification based on distribution artifacts associated with the trojan.
- Artifact 1: Google Chrome (`com.klivkfbky.izaybebnx`)
- Artifact 2: Preemix Box (`com.uvxuthoq.noscjahae`)
- Behavioral detection: Monitoring for excessive use or hijacking of Accessibility Services, dynamic screen reading, or VNC-like connection attempts over non-standard ports/protocols combined with overlay delivery.
- YARA rules: [Not provided in the source text]
## Mitigation Strategies
- **Prevention Measures:** Strict control over application installations, preferably sideloading only from trusted sources (though banking trojans often start via deceptive means).
- **Hardening Recommendations:** Regularly review and audit applications with requested Accessibility Service permissions. Users should be wary of any screen that freezes or mimics system updates. Immediately investigate and revoke administrative privileges if suspicious activity is noted.
## Related Tools/Techniques
- Other Android banking trojans that utilize overlay attacks and accessibility services (e.g., Crocodilus mentioned in linked context).
- Techniques involving screen capture frameworks for real-time remote interaction.