Sturnus: The New Android Trojan Threatening Encrypted Messaging and Banking Security

A new, highly sophisticated Android malware named Sturnus has emerged, capable of bypassing end-to-end encryption to spy on messaging apps like Signal, WhatsApp, and Telegram, while also taking full control of infected devices. Though still in development, this trojan has already demonstrated the ability to target multiple financial institutions across Europe, using region-specific overlays to mimic legitimate banking applications. Its advanced architecture and strong encryption mechanisms make it one of the most dangerous Android threats seen in recent years.

Summary

Sturnus is designed to steal sensitive data and control devices remotely. By exploiting Android’s Accessibility services, it can read screen content, capture typed text, and observe app behavior in real time. Unlike network-based attacks, Sturnus bypasses end-to-end encryption entirely by reading messages after they are decrypted on the device. It supports real-time VNC (Virtual Network Computing) operations, allowing attackers to click, type, scroll, and navigate apps invisibly to the user. The malware is capable of overlay attacks, creating fake screens such as system updates to hide malicious activity like transferring money, approving multi-factor authentication requests, or installing additional apps.

ThreatFabric, the threat intelligence firm analyzing Sturnus, noted that the malware disguises itself as legitimate apps like Google Chrome or Preemix Box and registers victims through a cryptographic handshake with its command-and-control (C2) servers. It uses a mix of plaintext, RSA, and AES-encrypted communication channels for data exfiltration and VNC operations. Sturnus also escalates privileges by obtaining Android Device Administrator rights, making it resistant to uninstallation or standard cleanup methods.

Currently, Sturnus has been detected in limited campaigns, mostly targeting Southern and Central European users, suggesting it is still in a testing phase rather than full-scale deployment. Nevertheless, its combination of advanced spying capabilities, financial overlays, and real-time device manipulation signals a malware ready to scale into a major threat. Android users are advised to avoid downloading APKs from unofficial sources, keep Google Play Protect active, and carefully manage Accessibility permissions to reduce risk exposure.

What Undercode Say:

Sturnus represents a new level of sophistication in Android malware, combining multiple attack vectors that were previously seen individually in older malware families. Its use of Accessibility services to bypass end-to-end encryption is particularly concerning because it renders traditional network-based security measures ineffective. The malware’s ability to hijack device input and output, combined with real-time VNC control, essentially gives attackers the same capabilities as a physical device operator.

The overlay templates tailored for European banks indicate a financially motivated threat actor with deep knowledge of regional banking systems and user behaviors. Even in its early development stage, Sturnus demonstrates the scalability and modularity needed for large-scale attacks. The mixture of AES and RSA encryption for C2 communication suggests the developers are prioritizing stealth and security for their operations, making detection and mitigation difficult.

Moreover, the adoption of layered protections such as administrator rights and obfuscation of malicious actions through overlays shows a deliberate effort to evade removal. The malware’s ability to monitor message content on encrypted platforms indicates that even users who rely heavily on secure messaging apps are vulnerable if the device itself is compromised.

From a cybersecurity strategy perspective, Sturnus highlights the growing need for endpoint-level defenses that go beyond traditional antivirus software. Behavioral analysis, app permission audits, and device integrity monitoring will become essential to detect such threats before significant damage occurs. Companies and individuals must be proactive in applying security patches, avoiding third-party app stores, and limiting the use of high-risk permissions.

The low-volume, regional targeting seen in initial campaigns could suggest a testing phase, but this also implies that attackers are refining their techniques for broader deployment. If the malware is scaled up, it could affect thousands of users, leading to severe financial and privacy breaches. Organizations in Europe, in particular, should monitor traffic patterns for unusual VNC sessions and screen capture activity, and educate users about the dangers of granting Accessibility permissions indiscriminately.

Sturnus also underscores the importance of rapid intelligence sharing between cybersecurity firms and financial institutions. Early detection, combined with user education and stringent app vetting processes, could significantly reduce its impact. However, the malware’s design shows that the threat landscape is evolving toward highly adaptive, multi-faceted attacks that can bypass conventional security protocols, signaling a need for continuous innovation in mobile security solutions.

Fact Checker Results:

✅ Sturnus targets Android devices and can capture messages from encrypted messaging apps.
✅ The malware uses Accessibility services and overlays to steal credentials and perform remote actions.
❌ It is not yet widely deployed; current campaigns are low-volume and regional.

Prediction 📊

As Sturnus develops, it is likely to evolve into a larger, more sophisticated campaign targeting financial institutions across Europe. Expect new overlay templates and possibly expansion to other regions. Users and organizations that ignore mobile device hygiene and permission management will face increasing risks of financial fraud and privacy breaches. Advanced monitoring tools and endpoint security solutions will become crucial defenses against this emerging threat.