Sturnus Banking Malware Steals Communications from Signal and WhatsApp, Gaining Full Control of The Device

A new banking malware called Sturnus has emerged as a significant threat to mobile users across Europe.

Security researchers have discovered that this sophisticated Android trojan can capture encrypted messages from popular messaging apps like WhatsApp, Telegram, and Signal by accessing content directly from the device screen after decryption.

The malware’s ability to monitor these communications marks a serious advancement in mobile banking threats, combining credential theft with extensive remote access capabilities.

The malware operates by harvesting banking credentials through convincing fake login screens that perfectly replicate legitimate banking applications.

What makes Sturnus particularly dangerous is its capacity to provide attackers with full device takeover, allowing them to observe all user activity without physical interaction.

Attackers can inject text messages, intercept communications, and even black out the device screen while conducting fraudulent transactions in the background, leaving victims completely unaware of the theft occurring on their compromised devices.

Threat Fabric security analysts identified Sturnus as a privately operated trojan currently in its early testing phase, with targeted campaigns already configured against financial institutions across Southern and Central Europe.

Although the malware remains in limited deployment, researchers emphasize that Sturnus is fully functional and more advanced than several established malware families in certain aspects, particularly regarding its communication protocol and device support capabilities.

This combination of sophisticated features and targeted geographic focus suggests attackers are refining their tools before launching broader operations.

The current threat landscape indicates that Sturnus.A operates with region-specific targeting, using tailored overlay templates designed for Southern and Central European victims.

The malware’s operators demonstrate clear focus on compromising secure messaging platforms, testing the trojan’s ability to capture sensitive communications across different environments.

The relatively few samples detected so far, combined with short intermittent campaigns rather than sustained large-scale activity, indicate the operation remains in evaluation and tuning phases.

Understanding the Communication Protocol

The malware’s complex communication structure inspired its name, drawing parallels to the Sturnus vulgaris bird, whose rapid and irregular chatter jumps between whistles, clicks, and imitations.

Sturnus mirrors this chaotic pattern through its layered mix of plaintext, RSA, and AES communications that switch unpredictably between simple and complex messages.

The malware establishes a connection with its command-and-control server using both WebSocket (WSS) and HTTP channels, transmitting a combination of encrypted and plaintext data primarily over WebSocket connections.

The technical handshake begins with an HTTP POST request where the malware registers the device using a placeholder payload. The server responds with a UUID client identifier and an RSA public key.

The malware then generates a 256-bit AES key locally, encrypts it using RSA/ECB/OAEPWithSHA-1AndMGF1Padding, and transmits the encrypted key back while storing the plaintext AES key on the device in Base64 format.

Once key exchange completes, all subsequent communication receives protection through AES/CBC/PKCS5Padding with a 256-bit encryption key.

The trojan generates fresh 16-byte initialization vectors for each message, prepends them to encrypted payloads, and wraps results in custom binary protocols containing message type headers, message length data, and client UUIDs.

This sophisticated encryption scheme demonstrates the developers’ expertise in secure communications while maintaining malicious functionality.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.