Cybersecurity researchers at Group-IB have identified a new Android banking trojan named “Sturnus.” This malware is designed to perform on-device fraud (ODF) by stealing credentials and financial information directly from infected smartphones.

Sturnus Trojan Capabilities and Attack Method

Sturnus is distributed through phishing websites that impersonate legitimate Android applications. Once installed, the trojan requests access to the device’s Accessibility Services, a powerful Android feature it abuses to carry out its malicious functions. By leveraging these permissions, Sturnus can capture keystrokes, intercept SMS messages containing two-factor authentication (2FA) codes, and exfiltrate the user’s contact list.

The malware’s capabilities also include taking screenshots of sensitive applications and stealing messages from secure communication apps like WhatsApp, Telegram, and Signal. For its command-and-control (C2) operations, Sturnus communicates with its operators using the Telegram service.

Targeting and Distribution

The primary targets of the Sturnus campaign are Android users located in Spain. The trojan contains a list of 170 specific applications that it targets for data theft. This list includes a wide range of services, such as banking applications, cryptocurrency wallets, social media platforms, and online shopping apps.

Group-IB’s analysis links the Sturnus trojan to a threat actor who has been active since at least 2018. This same actor, known by the Telegram alias “golis,” has previously been associated with the distribution of other Android banking trojans, including Alien, Vultur, and Brokewell.

Source: https://securityaffairs.com/184878/cyber-crime/sturnus-new-android-banking-trojan-targets-whatsapp-telegram-and-signal.html