Hadlee Simons / Android Authority
TL;DR
- A malware, called “Sturus,” has emerged, and it exploits Android’s accessibility features to spread on your phone even without you noticing.
- It gains access to your Android after being installed via an APK file, and then monitors your phone’s interface, chats, and even button presses.
- It then recreates fake banking app UIs to steal your banking data, and places restrictions that prevent it from being uninstalled.
If you think it’s admissible to download APKs from seemingly harmless nooks on the internet, there’s a new pressing reason for you to reconsider that thought. That’s because a new breed of malware has emerged that can snoop on your protected chats and target any banking services you use on your Android devices — and it originates from malicious APKs.
Researchers at MTI Security have identified a new Android trojanware called Sturnus that can bypass security measures, such as chat encryption, and surveil messages from popular messaging apps, including WhatsApp, Telegram, and Signal. It doesn’t do so by breaking into the chat encryption, but rather by seizing high-level access to the contents of the screen, thereby gaining visibility of your chats.
It can also recreate banking screens, using HTML overlays, with high accuracy to phish your login credentials and launch device-level attacks, allowing cybercriminals to take control of your device remotely. It can also create fake Android update overlays to hide malicious activity.
Don’t want to miss the best from Android Authority?
According to an analysis by the online fraud prevention agency ThreatFabric, Sturnus has already been deployed in multiple locations across South and Central Europe, despite not being fully developed. ThreatFabric notes,
While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families.
Sturnus, as per the report, uses a “chaotic mix” of plaintext, RSA, and AES (encrypted) communications, and switches haphazardly between different forms. This behavior is similar to that of Sturnus vulgaris, a species of starling whose mating call is laced with haphazard, chaotic notes identical to the malware’s footprint.
While the researchers have yet to identify how the malware is transmitted, they suspect it is through rogue attachments sent over messaging apps. It further propagates on Android devices by disguising itself as (fake) versions of Google Chrome or other preinstalled apps. It then abuses Accessibility settings, such as “Display over other apps,” to view on-screen text, capture screen recordings, detect and recreate UIs from banking apps, and log screen taps and button presses. It can eventually inject text and navigate the phone’s interface.
It further gains Admin rights on the phone, allowing it to track unlock attempts and view passwords. It can also abuse these privileges to lock the device and prevent itself from being uninstalled, even using ADB.
Interestingly, while it is designed to infiltrate encrypted conversations, Sturnus transmits data stolen from users’ devices by generating a 256-bit AES key on the device and sending it to the hackers’ servers. All subsequent communications and data transfer back to base are encrypted.
Despite being in its “pre-development” stages, Sturnus is comprehensive and far-reaching enough to be used as an advanced form of attack. Unfortunately, given the nature of the attack, there is no way to prevent it other than for users to be conscious about downloading APK files from sources other than the Google Play Store. Since that isn’t guaranteed, I, for once, feel that Google might be right in trying to limit sideloading on Android.
Thank you for being part of our community. Read our Comment Policy before posting.
