Cybersecurity researchers have described a new Android banking trojan called Sturnus that can harvest credentials and enable full device takeover to support financial fraud. Dutch mobile security firm ThreatFabric said in a report that the malware combines multiple communication methods and remote-control features aimed at financial targets.
Sturnus is reported to capture decrypted message content by taking screen captures after decryption, allowing it to monitor communications in apps such as WhatsApp, Telegram and Signal, and to present fake login screens over banking apps to harvest credentials. The firm also identified application package names used to distribute the malware, including variants posing as Google Chrome (“com.klivkfbky.izaybebnx”) and Preemix Box (“com.uvxuthoq.noscjahae”).
The name Sturnus is a reference to the European starling, the researchers wrote, noting the malware’s mixed use of plaintext, AES and RSA communications and likening that pattern to how the species incorporates a variety of sounds.
Technically, Sturnus registers infected devices with a command server over WebSocket and HTTP channels and receives encrypted payloads. It establishes a WebSocket channel to permit operators to interact with compromised devices during Virtual Network Computing (VNC) sessions, and it can abuse Android accessibility services to capture keystrokes and user interface interactions. The malware disables overlays for a target after harvesting credentials to reduce the likelihood of user suspicion.
Other described capabilities include full-screen overlays that mimic system update screens, monitoring of device sensors and network conditions, reconstruction of visible interface elements to enable remote actions such as clicks, text input and permission confirmations, and an alternate remote-control method using the system display-capture framework. The researchers said the malware prevents ordinary uninstallation and blocks removal via ADB until its administrator rights are revoked manually.
ThreatFabric characterised the campaign as currently limited and focused on financial institutions in Southern and Central Europe, saying the activity appears to be in an evaluation stage as the operators refine tooling ahead of broader operations.