Sturnus Android Banking Trojan: Analysis, IOCs, & Mitigation.

December 3, 2025

Date: 2025-11-22
Classification: TLP:CLEAR

Executive Summary

Sturnus is a newly reported Android banking trojan (first public vendor write-up: 20 Nov 2025) that combines overlay-based credential theft, Accessibility-service–based UI/keylogging, and full remote-control (VNC-like) functionality to enable real-time fraud and covert data collection.

ThreatFabric is the primary technical source, with public reporting (BleepingComputer, The Hacker News, Security Affairs, The Record, SC Media) corroborating the core capabilities.

VirusTotal confirms at least one malicious APK sample (SHA-256:
0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d) tied to this operation. Passive infrastructure discovery (Shodan) links reported C2 domains to Russian-hosted IPs in ASN AS48282 (Hosting technology LTD).

Risk level for affected users (mobile banking customers) is HIGH. Sturnus can:

Bypass end-to-end encryption on messaging apps by reading decrypted content on-device via Accessibility.
Perform covert transactions through overlays while blacking out or hiding the real screen.
Resist removal via Device Administrator protections and anti-uninstall behavior.

Primary recommendations:

Block known C2 domains/IPs.
Hunt for identified package names and confirmed hash in mobile telemetry/EDR/MDM.
Restrict sideloading and Accessibility/Device Admin permissions via MDM.
Obtain samples and perform dynamic analysis to validate protocol and persistence details.

Investigation Scope

Objective: Determine Sturnus capabilities, distribution, TTPs, IOCs, infrastructure, geographic targeting, and provide detection & mitigation guidance.
Timeframe: Public reporting between 2025-11-20 and 2025-11-22 (analysis performed 2025-11-22).
Sources:
- ThreatFabric technical write-up (primary).
- News coverage (BleepingComputer, The Hacker News, Security Affairs, The Record, SC Media).
- VirusTotal enrichment.
- Shodan host discovery; Whois/DNS lookups.
- Protos Threat Feed (no additional pivots found).

Key Findings

High Confidence

Core capabilities
Sturnus supports overlay phishing (WebView-based HTML templates), Accessibility-based UI-tree collection and keylogging, Device Administrator persistence, VNC-like remote control (pixel streaming + UI-tree actions), and environment monitoring for sandbox/emulator evasion. These behaviors are consistently described by ThreatFabric and multiple media outlets.
Confirmed malicious sample
- SHA-256: 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d
- Present on VirusTotal with ~24 engines flagging it as malicious; TrendMicro labels it TrojanSpy.AndroidOS.STURNUS.A.
- Tags indicate an APK with embedded ELF components, telephony modules, reflection, and obfuscation.
Reported infrastructure
- C2 candidate domains (ThreatFabric):
  - amoled.multicoloredhdrsupport[.]xyz
  - walnut.almondcollections[.]com
- Shodan mappings:
  - 89.110.95.112 → multicoloredhdrsupport[.]xyz (AS48282, Hosting technology LTD, Moscow RU).
  - 62.113.117.31 → almondcollections[.]com (AS48282, Hosting technology LTD, Moscow RU).

Medium Confidence

Communication architecture
ThreatFabric describes:
- HTTP(S) registration.
- RSA-based key exchange.
- AES/CBC-encrypted messaging over HTTPS and WebSocket (WSS).
- Custom binary header and per-message IV.
These details are widely repeated in secondary reporting, but raw vendor text and APKs were not retained in the immediate evidence bundle, so byte-level specifics remain unverified.
Targeting & scale
Activity is currently low-volume and focused on Southern and Central Europe, using region-specific overlays for local financial institutions. This likely represents early testing/tuning prior to wider deployment.

Low / Unverified

Low-level implementation details
Some reported internal filenames, full command/packet header schemes, and certain crypto padding strings appear in ThreatFabric’s analysis but were not directly validated against raw APKs or preserved vendor text in this review. These remain unverified until sample-based analysis is completed.

TTPs – MITRE ATT&CK Mapping

Tactic	Technique ID	Technique Name / Area	How Sturnus Implements It	Confidence
Initial Access	T1476	Deliver Malicious App via Other Means	Distributed as sideloaded Android APKs impersonating legitimate apps (e.g., spoofed “Google Chrome”, “Preemix Box”). Users must install the APK. Alt (Enterprise): T1204.002 User Execution: Malicious File.	High
Execution	T1204	User Execution	After installation, the malicious APK executes, launches background services, and immediately requests special privileges.	High
Persistence	T1624.001	Event-Triggered Execution: Broadcast Receivers	Registers for `BOOT_COMPLETED` (and similar) to relaunch automatically on device boot.	High
Privilege Escalation (Mobile)	T1626.001	Abuse Elevation Control Mechanism: Device Administrator Permissions	Requests and secures Device Administrator privileges to hinder uninstall and harden control.	High
Privilege Escalation (Mobile)	T1453	Abuse Accessibility Features	Uses Accessibility Services to perform privileged UI actions (clicks, text entry, PIN solving) without classic root.	High
Defense Evasion	T1562	Impair Defenses	Interferes with attempts to revoke admin rights by programmatically navigating away from settings via Accessibility automation.	High
Defense Evasion	T1140	Deobfuscate/Decode Files or Information	Uses code obfuscation and reflection to impede static analysis and evade signature-based detection.	High
Defense Evasion	T1628.001	Hide Artifacts: Suppress Application Icon	Hides launcher icon to reduce user detection and hinder manual removal.	High
Credential Access	T1417.001	Input Capture: Keylogging	Captures typed text and UI content from banking/messaging apps via Accessibility events.	High
Credential Access	T1417.002	Input Capture: GUI Input Capture	Uses WebView-based overlay pages to capture credentials entered into spoofed login forms.	High
Collection	T1513	Screen Capture	Captures screenshots or pixel frames to build a near real-time view of device activity (bypassing user perception of `FLAG_SECURE`).	High
Discovery & Monitoring	T1426	System Information Discovery	Profiles device model, OS/patch level, SELinux/ADB/dev settings, SIM changes, and connectivity.	High
Discovery & Monitoring	T1418	Application Discovery	Enumerates installed applications and emulator/sandbox indicators for evasion and targeting.	High
Command & Control (C2)	T1437	Standard Application Layer Protocol	Performs HTTPS registration, then uses encrypted HTTPS/WebSocket (WSS) channels with vendor-reported RSA + AES/CBC scheme for C2.	Medium
Command & Control (C2)	T1544	Ingress Tool Transfer (Mobile)	Downloads additional components or configuration over its C2 channels.	Medium
Exfiltration	T1041	Exfiltration Over C2 Channel	Exfiltrates credentials, messages, UI content, screenshots, and device inventory over encrypted HTTPS/WSS connections.	High
Impact / Recovery Inhibition	T1642	Endpoint Denial of Service (Mobile)	Device-admin protection and lock/anti-uninstall behavior can degrade device usability and impede recovery.	Medium

Detection Opportunities & Heuristics

Mobile EDR / MDM Telemetry

New APK installs from sources other than Google Play, especially those:
- Requesting AccessibilityService and/or Device Administrator privileges.
- Hiding their launcher icon shortly after installation.
Behavioral signals:
- Apps generating unusually high volumes of TYPE_VIEW_TEXT_CHANGED and TYPE_WINDOW_CONTENT_CHANGED Accessibility events.
- Apps that re-appear or restart after forced stop or attempted removal.

Overlay & WebView Indicators

Creation or modification of HTML files under paths such as:
/data/user/0/<package_name>/files/overlays/*.html
Apps that programmatically:
- Create WebView instances with JavaScript interfaces (addJavascriptInterface).
- Load remote HTML overlay templates for known banking / messaging brands.

Network Indicators

Long-lived HTTPS/WSS connections from Android devices to:
- *.multicoloredhdrsupport.xyz
- *.almondcollections.com
- IPs 89.110.95.112 and 62.113.117.31 (AS48282, Hosting technology LTD).
TLS certificate subjects or SANs referencing these domains.

Device Admin Monitoring

Non-corporate apps requesting Device Administrator rights shortly after installation.
Apps interfering with user actions to revoke Device Admin (auto-closing or rerouting settings screens).

Example Detection Logic (Conceptual)

MDM / SIEM Rule – Suspicious Sideload + Sensitive Permissions

IF app_install.source != "PlayStore"
AND (app.requested_permissions contains AccessibilityService OR DeviceAdmin)
THEN Alert (High)

EDR Rule – Suspicious Overlays / WebView Usage

IF app writes .html files under /data/user/0/*/files/overlays/
OR registers WebView with addJavascriptInterface targeting login/payment flows
THEN Alert (Medium)

Network IDS – C2 Domains / IPs

IF outbound connection to *.multicoloredhdrsupport.xyz OR *.almondcollections.com
OR IP in {89.110.95.112, 62.113.117.31}
THEN Alert (Medium) (until further enrichment)

Mitigation & Recommendations

Immediate – Detect & Contain

Hunt & block indicators
- Add the confirmed hash and reported package names to blocklists and detection logic:
  - Hash: 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d
  - Packages (ThreatFabric):
    - com.klivkfbky.izaybebnx (spoofed "Google Chrome")
    - com.uvxuthoq.noscjahae (label "Preemix Box")
- Hunt across mobile EDR/MDM telemetry for these indicators and suspicious sideload events.
  Priority / Confidence: High
Network blocking
- Temporarily block or closely monitor connections to:
  - amoled.multicoloredhdrsupport[.]xyz → 89.110.95.112
  - walnut.almondcollections[.]com / almondcollections[.]com → 62.113.117.31
- Where feasible, bound or closely observe traffic to AS48282 for mobile endpoints.
  Priority: Medium | Confidence: Medium
Remediation on suspected devices
- Revoke Device Administrator privileges for the malicious app.
- Uninstall the app; if persistence or anomalous behavior remains, perform full factory reset or OS reflash.
  Priority: High | Confidence: High

Short-Term – Hardening & Hunts

Policy controls
- Block or tightly control APK sideloading via MDM.
- Implement allow-lists for apps permitted to use Accessibility and Device Admin.
  Priority: High
Telemetry-driven hunts
- Search logs for:
  - Non-PlayStore installations prior to requesting Accessibility/Device Admin.
  - Overlay HTML creation in suspicious app paths.
  - Long-lived WSS connections from mobile endpoints to unknown domains.
    Priority: High

Medium-Term – Analysis & Rule Deployment

Sample acquisition and analysis
- Retrieve APKs for:
  - Confirmed hash 0cf970d2... and other ThreatFabric-reported hashes (e.g., 045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5, VT-404 at query time).
- Conduct static and dynamic analysis in a mobile sandbox to confirm:
  - Protocol details (headers, crypto, endpoints).
  - Persistence and anti-removal logic.
  - Overlay templates and JS bridge identifiers.
    Priority: Medium | Confidence if performed: High
Detection engineering
- Implement SIEM/IDS rules for:
  - Suspicious Accessibility and Device Admin usage patterns.
  - WebView/JS-bridge activity related to login/payment flows.
  - Long-lived WSS sessions to unfamiliar infrastructure.
    Priority: Medium

Strategic – Policy & User Awareness

User training
- Educate users on:
  - Dangers of sideloading apps and malvertising.
  - Risks of granting Accessibility or Device Admin privileges to untrusted apps.
    Priority: Medium
Mobile threat defense
- Evaluate or expand deployment of mobile threat defense solutions capable of detecting:
  - Overlay-based attacks.
  - Suspicious WebView/JS-bridge use.
  - Hidden remote-control / VNC-like activity.
    Priority: High

Risk Assessment

Overall Risk: High
Rationale:
- Credential theft via overlays and Accessibility.
- On-device access to decrypted content in secure messaging and banking apps.
- Real-time remote control to execute fraudulent transactions while obscuring activity from the user.
- Resistance to removal via Device Admin and anti-uninstall techniques.

This combination creates significant financial and privacy risk for targeted users and institutions, especially in regions already observed (Southern and Central Europe).

Indicators of Compromise (IOCs)

File Hashes

High / Confirmed
- 0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d
  - VirusTotal: multiple detections; TrendMicro label includes STURNUS.A.
Medium / Vendor-Reported
- 045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5
  - Reported by ThreatFabric; returned 404 on VirusTotal at query time.

Package Names / App Labels (Medium)

com.klivkfbky.izaybebnx — App label reportedly "Google Chrome" (spoofed browser).
com.uvxuthoq.noscjahae — App label reportedly "Preemix Box".

Domains / Infrastructure (Medium)

amoled.multicoloredhdrsupport[.]xyz
- Mapped by Shodan to 89.110.95.112 (AS48282, Hosting technology LTD, Moscow RU).
walnut.almondcollections[.]com / almondcollections[.]com
- Mapped by Shodan to 62.113.117.31 (AS48282, Hosting technology LTD, Moscow RU).

Note: Whois/DNS lookups at the time of analysis returned no active DNS records for these domains, suggesting short-lived infrastructure or post-exposure takedown.

IP Addresses (Medium)

89.110.95.112 — Associated with multicoloredhdrsupport[.]xyz.
62.113.117.31 — Associated with almondcollections[.]com.

Limitations & Validation Notes

ThreatFabric is the primary technical source for Sturnus; most behavioral claims are cross-checked by multiple media outlets.
Raw vendor blog HTML/text and APK samples were not preserved in the immediate evidence bundle used for this review. As a result:
- Detailed protocol elements (exact header bytes, RSA padding schemes, string constants) remain medium confidence until sample analysis is performed.
- One vendor-reported hash (045a15df...) was not obtainable from VirusTotal at query time.

Protos Threat Feed returned no additional pivots for the provided indicators.

Recommended Next Steps by Function

Threat Intelligence
- Retrieve and archive the full ThreatFabric technical blog and associated documentation for long-term reference and byte-level verification.
- Track new public reporting or vendor updates for additional hashes, domains, or TTP refinements.
Malware Analysis
- Obtain APK samples tied to the confirmed and vendor-reported hashes from reliable repositories.
- Perform static (code/strings/certs) and dynamic (sandbox) analysis focusing on:
  - Accessibility and overlay implementation.
  - C2 protocol (headers, crypto, endpoints).
  - Persistence & anti-removal behavior.
SOC / Detection Engineering
- Implement and tune detection logic described above (sideload + sensitive permissions, overlay paths, WSS patterns, Device Admin anomalies).
- Run focused hunts for sideloaded apps requesting Accessibility/Device Admin and for listed IOCs.
Incident Response
- For confirmed infections:
  - Isolate affected devices from sensitive networks.
  - Revoke Device Admin, remove the malicious app, and perform factory reset/OS reflash if required.
  - Capture forensic images where feasible for post-incident analysis.
TI / Network Teams
- Feed any newly discovered IOCs (hashes, domains, IPs) back into internal TI platforms and blocklists.
- Periodically re-check the status of identified infrastructure (domains/IPs) for potential reuse or related clusters.

Prepared by: Threat Intelligence Analyst Agent (Protos AI V2)

Threat Intelligence Report: Sturnus Android Banking Trojan