A new Android malware has emerged, targeting mobile users in Southern and Central Europe. The malware - named "Sturnus "after the Sturnus Vulgaris bird’s rapid and irregular chatter - employs highly sophisticated communication techniques, using a mix of encryption methods to keep its activity hidden when communicating with its command-and-control server, quietly exfiltrating sensitive information from compromised devices.
Sturnus typically infects devices when a user mistakenly installs a fake version of a genuine application, such as Google Chrome, from unverified sources. These apps look and behave like the real thing, but once installed, they covertly communicate with a remote server controlled by cybercriminals.
What makes this malware particularly dangerous is that it can circumvent security features of even the most trusted apps - such as WhatsApp, Telegram, and Signal - that use end-to-end encryption to keep messages private; Sturnus sidesteps this by reading messages directly from the screen after they’ve been decrypted by the app. This means attackers can see your private conversations, contact names, and message contents in real time. This connection is protected by strong encryption, making it difficult for anyone else to intercept or understand the data being sent.
So far, Sturnus has only been found in a small number of cases, mostly in Southern and Central Europe, leading security experts to believe the criminals are still testing the malware before launching larger attacks.
Why does this matter?
What sets Sturnus apart from other malware is its ability to take almost complete control of an infected device through its use of “Accessibility services” permissions; these features, intended to help people with disabilities use their phone, allow attackers to read everything on your screen, see what you type (including passwords and PINs), detect when you open banking or messaging apps, and even type on your behalf, all without the victim’s knowledge. To hide their actions, Sturnus can display a black screen or a fake “System Update” message, masking any malicious activity happening in the background.
Sturnus uses region-specific overlay templates to tailor its attacks, displaying fake login screens that perfectly mimic legitimate banking apps. These overlays are designed to trick users into entering their banking credentials, which are then harvested by the attackers.
Once installed, Sturnus can establish encrypted channels for both data theft and real-time remote control, allowing attackers to monitor and manipulate the device as if they were holding it themselves. The malware also actively prevents users from removing its privileges or uninstalling it, making cleanup extremely difficult; until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB (Android Debug Bridge) are blocked.
What should I do?
Given the sophistication and potential impact of Sturnus, it’s crucial to take steps to protect devices.
- Only install official apps from the Google Play Store: Avoid installing apps from links in emails, texts, or websites, as these are common ways for malware to spread; consider enforcing this restriction on managed devices via MDM Policy.
- Keep “Play Protect” turned on in your phone’s settings: Google’s built-in security feature scans any apps downloaded from the Google Play Store for any harmful behaviour before install, alerts on any applications that may access personal information, and provides real-time protection while apps are in use.
- Regularly review your app permissions: Only allow accessibility permissions for apps you trust and where required; if an app asks for accessibility access without reason, this should be denied, and the app's legitimacy should be reviewed. Check which apps have excessive privileges and remove any that look suspicious.