Cybersecurity experts are up in arms about a newly discovered banking malware called Sturnus. Most recently, the threat has been characterized by experts as being in the evaluation stage. It is now making its way into financial institutions across Southern and Central Europe. Sturnus is, of course, derived from the European starling (Sturnus vulgaris). It employs some pretty sophisticated techniques, like circumventing encrypted direct messaging, exposing users’ financial information and private messages to great risk.
Sturnus works by means of a series of communication exchanges, using plaintext, AES symmetric key and RSA public/private key encryptions. Play Dead This malware produces a highly convincing scene. It shows a full screen overlay that mimics the update screen of the Android operating system. In such a way, it invisibly denies all visual feedback from the user whilst performing dangerous operations secretly.
Targeting Financial Institutions
Sturnus is uniquely tailored for financial institutions. It provides Southern and Central European users with tailored solutions using region-specific overlays. With the proper command, the malware can display fake overlays on top of users’ banking apps, deceiving users into inputting sensitive credentials that attackers will then capture.
Cybersecurity firm ThreatFabric explains the significance of this malware’s exacting focus on cars. They state, “Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations.”
Evasion Techniques and Data Capture
Perhaps the most troubling aspect of Sturnus is its capacity to evade encrypted communications services. This most recently includes apps like WhatsApp, Telegram, and Signal. By capturing content immediately after it’s decrypted, Sturnus is able to operate to surveil users’ communications without their consent or awareness.
“A key differentiator is its ability to bypass encrypted messaging,” – ThreatFabric
To exfiltrate sensitive data, Sturnus misuses Android’s accessibility services to log user interface interactions and keystrokes. The malware is always listening for accessibility. This is done by monitoring attempts to access settings that could turn off its administrator status. It then determines what controls are relevant and automatically changes the page to navigate away and interrupt the user.
“Whenever the user navigates to settings screens that could disable its administrator status, the malware detects the attempt through accessibility monitoring, identifies relevant controls, and automatically navigates away from the page to interrupt the user,” – ThreatFabric
Remote Control Capabilities
Apart from its data-stealing functionalities, Sturnus includes an alternate remote control mechanism. This new mechanism utilizes the system’s display-capture framework to reflect the device screen in real-time. This gives attackers a unique opportunity to track users’ every move in real time. To go even deeper, Sturnus aggressively focuses on specific installations such as Google Chrome (com.klivkfbky.izaybebnx) and Preemix Box (com.uvxuthoq.noscjahae).
As we share this alarming news with you, experts urge that we all be more aware of Sturnus and threats like it. The malware’s multitude of evasion tactics makes it difficult for everyday users to identify the malware on their devices. With cybercriminals constantly perfecting their weaponry, users are advised to stay aware and stay proactive over good online security.
