Beware the Sturnus malware attacks that bypass instant messenger encryption to read your texts.
Photothek via Getty Images
Updated November 24 with further comments from malware experts regarding the Sturnus threat from hackers impacting all secure messenger users.
Nobody wants their secrets to leak, whether that is the Department of War, FTSE 100 companies, or your average consumer VPN user. One place where many secrets exist is within the encrypted instant messages we send via apps such as Signal, Telegram and WhatsApp. So, what if I were to tell you that a new threat has been identified, targeting Android smartphone users, that effectively bypasses the secure encryption that protects the privacy of your messages, and captures them for cybercriminal hackers to read? Welcome to the distinctly dangerous world of the Sturnus trojan.
ForbesAmazon Issues Attack Warning For 300 Million CustomersBy Davey WinderThese Hackers Can Read Your ‘Private’ Instant Messages
Security researchers at threat intelligence outfit ThreatFabric have confirmed that they have observed a new and dangerous piece of Android malware, a banking trojan that goes beyond the normal boundaries of such malicious software. Not only can Sturnus, which the ThreatFabric analysis said is “currently in a development or limited testing phase,” provide hackers with the ability to gain full device control and harvest banking credentials, but also, and here’s the killer blow, it can “bypass encrypted messaging” according to the in-depth technical report.
I’m a user of all three of these instant messaging apps, for different use-cases, and rely upon Signal and WhatsApp encryption for some of them. The good news is that this has not been broken, the attackers have not found a way to read your encrypted messages. What they have done, however, is put together a complex technical process that, ultimately, does something very simple indeed: it reads your messages after you’ve decrypted them and they are displayed on the smartphone screen. This harks back to a warning that I used to give people all the time when secure messengers made a big play on the fact that screenshots could be disabled on time-limited, one-hit and done, messages, so the recipient couldn’t take a copy and share it around. They could if they took a photo of the screen with another device.
It’s also a good time to remind people not to download apps from untrusted sources, even if they appear to be a legitimate Google Chrome update, which seems to be one of the distribution methods for the Sturnus malware.
ForbesNetflix And PayPal Users Warned As Matrix Hackers AttackBy Davey WinderSecurity Expert Reveals Threat From Hackers Posed To All Organizations By The Sturnus Trojan
“Sturnus poses a different kind of threat compared to other Android malware due to its ability to use a mix of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to,” is the warning that Aditya Sood, vice president of security engineering and AI strategy at Aryaka, conveyed to me in an email concerning the dangers facing all organizations, rather than just consumers, by this latest trojan malware development.
There’s a lot of technology jargon to unravel there, so let me get that out of the way before going any further. RSA refers to the Rivest, Shamir, and Adleman family of public-key cryptosystems that is still used for secure data transmission, despite being one of the oldest. AES, meanwhile, is the Advanced Encryption Standard, another encryption specification, this time established by the National Institute of Standards and Technology in 2001. The simplest of the three to explain is the C2 server reference, which is the command and control (two C’s, get it?) server involved, in this case Matrix Push C2.
“The combination of these three,” Sood continued, “allows Sturnus to blend more easily into normal network patterns, while also hiding commands and stolen data from defense systems.” And it is this particularly advanced kind of evasion, and resilience, that enables the malware to disrupt signature-based detection and impede reverse-engineering efforts. This, Sood, warned, makes it much “harder to inspect Sturnus’ network traffic or recover the contents that it steals.”
Which brings us to the ‘all organizations’ warning: “The ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organizations,” Sood concluded, “as those applications are used across several industries to secure sensitive or confidential information.”
ForbesThese 20 American Passwords Suck Elephants Through A StrawBy Davey WinderHackers Can Read Everything That Appears On Your Smartphone Screen
“Because it relies on Accessibility Service logging rather than network interception,” the report said, “the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time.” It is this capability that makes Sturnus particularly dangerous, in the view of the researchers and me, as it side-steps the protection that end-to-end encryption provides. As I’ve often stated, a compromised device is not secure, and nor is anything on it. “The user sees a secure interface, but from the moment the device is compromised,” the researchers confirmed, “every sensitive exchange becomes visible to the operator, with no cryptographic protection left to rely on.”
You can read more about instant messenger security here:
So, if you don’t want hackers reading your private stuff, ensure it stays that way by keeping Google’s Play Protect activated, avoiding unauthorized app stores and not giving permission for accessibility controls to be enabled under less there’s a very good reason and you are 101% sure it is safe to do so.
ForbesWhatsApp And Meta Pay Hackers $4 Million — What To KnowBy Davey Winder