Updated November 25 with a new warning from America’s Cyber Defense Agency, CISA, regarding how spyware is targeting users of instant messaging applications, as well as further comments from malware experts regarding the Sturnus threat from hackers impacting all secure messenger users.
Nobody wants their secrets to leak, whether that is the Department of War, FTSE 100 companies, or your average consumer VPN user. One place where many secrets exist is within the encrypted instant messages we send via apps such as Signal, Telegram and WhatsApp. So, what if I were to tell you that a new threat has been identified, targeting Android smartphone users, that effectively bypasses the secure encryption that protects the privacy of your messages, and captures them for cybercriminal hackers to read? Welcome to the distinctly dangerous world of the Sturnus trojan.
These Hackers Can Read Your ‘Private’ Instant Messages
Security researchers at threat intelligence outfit ThreatFabric have confirmed that they have observed a new and dangerous piece of Android malware, a banking trojan that goes beyond the normal boundaries of such malicious software. Not only can Sturnus, which the ThreatFabric analysis said is “currently in a development or limited testing phase,” provide hackers with the ability to gain full device control and harvest banking credentials, but also, and here’s the killer blow, it can “bypass encrypted messaging” according to the in-depth technical report.
I’m a user of all three of these instant messaging apps, for different use-cases, and rely upon Signal and WhatsApp encryption for some of them. The good news is that this has not been broken, the attackers have not found a way to read your encrypted messages. What they have done, however, is put together a complex technical process that, ultimately, does something very simple indeed: it reads your messages after you’ve decrypted them and they are displayed on the smartphone screen. This harks back to a warning that I used to give people all the time when secure messengers made a big play on the fact that screenshots could be disabled on time-limited, one-hit and done, messages, so the recipient couldn’t take a copy and share it around. They could if they took a photo of the screen with another device.
It’s also a good time to remind people not to download apps from untrusted sources, even if they appear to be a legitimate Google Chrome update, which seems to be one of the distribution methods for the Sturnus malware.
Security Expert Reveals Threat From Hackers Posed To All Organizations By The Sturnus Trojan
“Sturnus poses a different kind of threat compared to other Android malware due to its ability to use a mix of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to,” is the warning that Aditya Sood, vice president of security engineering and AI strategy at Aryaka, conveyed to me in an email concerning the dangers facing all organizations, rather than just consumers, by this latest trojan malware development.
There’s a lot of technology jargon to unravel there, so let me get that out of the way before going any further. RSA refers to the Rivest, Shamir, and Adleman family of public-key cryptosystems that is still used for secure data transmission, despite being one of the oldest. AES, meanwhile, is the Advanced Encryption Standard, another encryption specification, this time established by the National Institute of Standards and Technology in 2001. The simplest of the three to explain is the C2 server reference, which is the command and control (two C’s, get it?) server involved, in this case Matrix Push C2.
“The combination of these three,” Sood continued, “allows Sturnus to blend more easily into normal network patterns, while also hiding commands and stolen data from defense systems.” And it is this particularly advanced kind of evasion, and resilience, that enables the malware to disrupt signature-based detection and impede reverse-engineering efforts. This, Sood, warned, makes it much “harder to inspect Sturnus’ network traffic or recover the contents that it steals.”
Which brings us to the ‘all organizations’ warning: “The ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organizations,” Sood concluded, “as those applications are used across several industries to secure sensitive or confidential information.”
Hackers Can Read Everything That Appears On Your Smartphone Screen
“Because it relies on Accessibility Service logging rather than network interception,” the report said, “the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time.” It is this capability that makes Sturnus particularly dangerous, in the view of the researchers and me, as it side-steps the protection that end-to-end encryption provides. As I’ve often stated, a compromised device is not secure, and nor is anything on it. “The user sees a secure interface, but from the moment the device is compromised,” the researchers confirmed, “every sensitive exchange becomes visible to the operator, with no cryptographic protection left to rely on.”
You can read more about instant messenger security here:
So, if you don’t want hackers reading your private stuff, ensure it stays that way by keeping Google’s Play Protect activated, avoiding unauthorized app stores and not giving permission for accessibility controls to be enabled under less there’s a very good reason and you are 101% sure it is safe to do so.
Cybersecurity And Infrastructure Security Agency Publishes New Warning As Hackers Target Messenger Apps With Spyware
An alert published by the Cybersecurity And Infrastructure Security Agency, known as CISA or as it styles itself “America’s Cyber Defense Agency,” has confirmed the risk faced by users of messaging applications from cyber threat actors employing commercial spyware applications. “These cyber actors use sophisticated targeting and social engineering techniques to deliver spyware and gain unauthorized access to a victim’s messaging app,” the CISA cybersecurity advisory stated, “facilitating the deployment of additional malicious payloads that can further compromise the victim’s mobile device.”
The tactics employed by even the most advanced hackers looking to target potential victims with the most sophisticated spyware malware are, it has to be said, remarkably familiar to anyone who has read any news report about phishing and spyware attacks over the years. CISA highlighted the following, for example:
- Phishing and malicious device-linking QR codes to compromise victim accounts and link them to actor-controlled devices.
- Zero-click exploits, which require no direct action from the device user.
- Impersonation of messaging app platforms, such as Signal and WhatsApp.
Although the vast majority of ordinary users will not be targeted by espionage attackers, nation-state hackers and the like, who tend to focus their valuable time, and valuable spyware assets, on high-profile victims such as politicians, journalists, activists, and the military, the mitigation advice is worth reading as it applies to everyone.
Advice such as remaining vigilant against hackers using social engineering methods, such as claiming an account has been compromised, which requires the recipient to log in to confirm their identity and regain control over their account. Avoiding the scanning of any group-invitation links or QR codes that come from unverified sources. Talking of which, CISA recommends verifying “the authenticity of group invitations by contacting the group creator or administrator through separate communication channels.”
Then there’s the fine advice to be highly suspicious of all and any unexpected security alert messages, even when they appear to be generated by the application itself, and “especially if the message requests authentication” by way of PIN code or one-time authentication code. Finally, I’d recommend following the CISA know-how when it says that you should limit linking of devices to only those that are absolutely necessary, which should go without saying, but hey.