"Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. "A key differentiator is its ability to bypass encrypted messaging," ThreatFabric said in a report shared with The Hacker News. "By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal." Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims' credentials."
"Artifacts distributing the banking malware are listed below - Google Chrome ("com.klivkfbky.izaybebnx") Preemix Box ("com.uvxuthoq.noscjahae") The malware has been designed to specifically single out financial institutions across Southern and Central Europe with region-specific overlays. The name Sturnus is a nod to its use of a mixed communication pattern blending plaintext, AES, and RSA, with ThreatFabric likening it to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known to be a vocal mimic."
Sturnus is an Android banking trojan that enables credential theft and full device takeover to conduct financial fraud. It captures decrypted messaging by scraping the device screen to monitor WhatsApp, Telegram, and Signal. The trojan stages overlay attacks that present fake login screens atop banking apps to harvest credentials and disables overlays for targets once credentials are captured to avoid detection. Sturnus abuses Android accessibility services to capture keystrokes and record UI interactions. The malware registers with remote servers over WebSocket and HTTP, receives encrypted payloads, and can provide a VNC-capable WebSocket channel for remote interaction. Targeting focuses on financial institutions in Southern and Central Europe.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]