Cybersecurity researchers at Cleafy have identified a new Android banking trojan named Sturnus. This malware is actively targeting users in Mexico, aiming to steal banking credentials and exfiltrate data from popular encrypted messaging applications.

The Sturnus trojan is distributed through phishing websites designed to look like the official download pages of the applications it impersonates. Upon installation, the malware prompts the user to grant it extensive permissions by enabling Android’s accessibility services.

Sturnus Trojan’s Operational Methods

Once accessibility services are enabled, Sturnus gains the ability to perform a wide range of malicious actions. It uses keylogging to record everything the user types on the device. The trojan also deploys overlay attacks, placing fake login screens on top of legitimate banking applications to capture user credentials. The specific financial targets include BBVA Mexico, Scotiabank Mexico, and Santander Mexico.

By abusing the accessibility services, the malware can also read notifications from messaging apps, allowing it to steal the content of incoming messages. It also harvests the device’s contact list and intercepts SMS messages, a technique used to access two-factor authentication codes.

Data Exfiltration Beyond Banking Apps

The capabilities of Sturnus extend beyond financial applications. The malware is designed to exfiltrate data from the messaging apps WhatsApp, Telegram, and Signal. It also targets email clients, specifically stealing information from Gmail and Outlook applications installed on the infected device.

Analysis of the trojan’s command-and-control (C&C) infrastructure revealed similarities to the Tinba banking trojan family, indicating a connection between the operators or developers of the two malware strains.

Source: https://www.securityweek.com/new-sturnus-banking-trojan-targets-whatsapp-telegram-signal-messages/