Sturnus, a newly identified Android banking trojan, can bypass protections of encrypted messaging apps by capturing decrypted messages. This impacts apps such as Signal, Telegram, and WhatsApp.
Malware Techniques and Risks
According to ThreatFabric, Sturnus targets the Android Accessibility Service to capture on-screen data, effectively sidestepping end-to-end encryption. Instead of network interception, Sturnus logs device activity, allowing full control over the device, harvesting banking details, and capturing real-time message data.
- Sturnus uses a mix of plaintext, RSA, and AES encryption.
- Communications are sent to a Matrix Push server.
- Traditional detections are evaded by blending with normal network traffic.
Preventative Measures
The Cybersecurity and Infrastructure Security Agency (CISA) warns of spyware threats against encrypted messaging apps. Common delivery methods include phishing and zero-click exploits. CISA advises users to enable Google Play Protect, avoid unofficial app stores, and restrict Accessibility permissions.
- Verify group invitations through separate channels.
- Be cautious of unexpected authentication prompts.
- Limit the number of linked devices.
