Sturnus is an advanced Android banking trojan currently in development, identified by AlienVault and ThreatFabric, targeting financial institutions primarily in Southern and Central Europe. It exhibits a broad range of malicious functionalities including full device takeover, credential harvesting, keylogging, and remote control capabilities via Virtual Network Computing (VNC). A key distinguishing feature of Sturnus is its ability to bypass the encryption of widely used messaging applications such as WhatsApp, Telegram, and Signal, enabling attackers to monitor communications that are typically considered secure. The malware communicates with its command-and-control (C2) infrastructure using a complex protocol that leverages both WebSocket and HTTP channels, enhancing its stealth and resilience against network-based detection. Sturnus uses HTML overlay attacks to trick users into revealing sensitive banking information and employs keylogging to capture input data. Its environment monitoring capabilities allow it to detect analysis or sandbox environments, increasing its chances of evading security solutions. The malware’s indicators include specific file hashes and suspicious domains used for C2 communication. Although no known exploits in the wild have been reported yet, the sophistication and targeted nature of Sturnus suggest it is a developing threat with potential for significant impact once fully operational.

For European organizations, especially financial institutions in Southern and Central Europe, Sturnus represents a high-risk threat to both operational security and customer privacy. The malware’s ability to fully compromise Android devices can lead to unauthorized access to sensitive banking credentials, enabling fraudulent transactions and financial theft. The bypassing of encrypted messaging apps undermines the confidentiality of communications, potentially exposing sensitive business discussions and personal data. Remote control capabilities allow attackers to manipulate devices, further increasing the risk of data loss, espionage, and disruption of services. The use of sophisticated communication protocols complicates detection and response efforts, potentially allowing prolonged undetected presence within victim networks. Given the prevalence of Android devices among employees and customers, the scope of affected systems could be extensive. This threat could erode trust in digital banking services and impose significant financial and reputational damage on affected organizations.

European financial institutions and organizations should implement targeted mitigation strategies beyond generic advice: 1) Deploy advanced mobile threat defense (MTD) solutions capable of detecting behavior indicative of banking trojans and overlay attacks on Android devices. 2) Enforce strict application whitelisting and restrict installation of apps from untrusted sources to reduce infection vectors. 3) Monitor network traffic for anomalous WebSocket and HTTP communications to known malicious domains such as almondcollections.com and amoled.multicoloredhdrsupport.xyz. 4) Implement multi-factor authentication (MFA) that does not rely solely on SMS or app-based tokens vulnerable to interception. 5) Conduct regular security awareness training focused on phishing and social engineering tactics that may deliver such malware. 6) Utilize endpoint detection and response (EDR) tools with capabilities to identify keylogging and remote control activities on mobile devices. 7) Collaborate with mobile OS vendors and financial app developers to integrate anti-tampering and runtime integrity checks. 8) Establish incident response plans specifically addressing mobile device compromises and encrypted messaging interception. 9) Continuously update threat intelligence feeds with indicators of compromise (IOCs) related to Sturnus hashes and domains. 10) Encourage customers to report suspicious banking activity promptly to enable rapid containment.