New Android Banking Malware Reads Encrypted Chats After Message Decryption

by Justin Erickson

ThreatFabric researchers have identified a new Android banking trojan named Sturnus that can steal credentials and give attackers near complete control of infected devices. It can capture content from end-to-end encrypted apps such as WhatsApp, Telegram, and Signal by reading the screen after messages are decrypted on the device. Sturnus uses Android Accessibility services and Device Administrator rights to monitor on screen activity, log keystrokes, and run a live VNC (Virtual Network Computing) style remote session. Other things this allows are fake login pages that are displayed on top of banking apps, text injection, and even blacking out the screen while executing fraudulent operations. Current victims are limited and focus on financial institutions in Southern and Central Europe by using “region-specific overlay templates”. Infections begin when users install malicious APKs that pretend to be Google Chrome or Preemix Box applications. Sturnus is still in a limited testing phase, with future larger scale attacks likely to come. To keep yourself safe against this attack, “avoid downloading APK files from outside Google Play, keep Play Protect active, and avoid granting Accessibility permissions unless truly needed.”