A new Android banking trojan called Sturnus has surfaced, and it is capable of capturing messages from end-to-end encrypted apps like WhatsApp, Signal, and Telegram.
It can also take full control of an infected device. Even though the malware is still being developed, it already works well and has been set up to target banking accounts in several European countries using region-specific fake login screens.
Sturnus is more advanced than most Android malware seen today. It communicates with its command-and-control server using a mix of plaintext as well as RSA and AES encryption. According to a report from ThreatFabric, the malware can read secure messages by grabbing the content directly from the device screen after the apps have already decrypted them.
The Trojan can also steal banking usernames and passwords using fake overlays designed to look like real banking pages. On top of that, it supports full remote control through a VNC session, allowing attackers to operate the phone in real time.
ThreatFabric told BleepingComputer that infections start when victims download fake Android apps disguised as Google Chrome or Preemix Box. It is not yet clear how the malware is being spread, but researchers believe malicious ads or direct messages may be involved.
Once installed, the malware connects to its server and registers the device through a cryptographic exchange. It then sets up an encrypted HTTPS channel for commands and data theft, along with an AES-encrypted WebSocket connection for real-time remote control and live monitoring.
By abusing Android’s Accessibility services, Sturnus can read text on the screen, record user inputs, watch for app launches, navigate the phone, and even type or press buttons. To strengthen its grip on the device, it also requests Device Administrator privileges, giving it the ability to monitor password changes, control the lock screen, and prevent the user from removing the malware. Until these admin rights are manually removed, the malware cannot be uninstalled, even through ADB.
When messaging apps like WhatsApp, Signal, or Telegram are opened, Sturnus uses its permissions to detect messages, typed text, contact names, and entire chat threads. Because it reads what appears on the screen instead of intercepting the network traffic, it completely bypasses end-to-end encryption. The attackers can see every message exactly as it appears to the user.
The malware’s VNC mode allows attackers to operate the phone remotely. They can click, scroll, enter text, approve dialogs, move money, or change settings. To hide their actions, they often activate a black screen overlay so the victim cannot see what is happening. ThreatFabric shared an example of a fake Android system update screen that hides malicious activity running underneath it.
Researchers believe Sturnus is still being tested, as the number of attacks is low and mainly focused on users in Southern and Central Europe. However, its powerful features and scalable design suggest that it could soon be used in larger campaigns.
If this article helped you, please consider supporting our work. Every small contribution keeps Abijita.com independent and running.
Android users are advised to avoid downloading APK files from outside the Google Play Store, keep Google Play Protect enabled, and be cautious about granting Accessibility permissions unless absolutely necessary.
