Sturnus: The Silent Android Banking Trojan Rising Into One of the Most Dangerous Mobile Threats of 2025

Listen to this Post

Featured Image

Introduction

A new Android threat is emerging in the shadows, and security analysts are sounding the alarm. The malware, named Sturnus, is more than another banking trojan. It behaves like a fully equipped digital spy, capable of taking over a device, reading encrypted messages, and performing actions as if the attacker were holding the phone in their hands. Although still in a testing phase, Sturnus already shows the sophistication of a professional cybercrime operation. Its discovery has triggered concern across the cybersecurity community, as its architecture hints at a dangerous future for mobile financial security.

Summary of the Original Report

A New Banking Trojan With Surprising Complexity

Sturnus has been uncovered by MTI Security researchers. This Android malware is privately operated and engineered to take full control of infected phones. It steals banking credentials, manipulates apps, and even bypasses encrypted communications by capturing what is visible on screen.

Deceptive Overlays Built for Fraud

The trojan uses deceptive templates designed to look identical to real banking apps. These overlays appear only when a user opens certain financial applications. Once credentials are captured, the phishing screen shuts itself off to avoid suspicion or repeated detection.

JavaScript Bridges for Data Theft

The phishing overlays are controlled through JavaScript bridges that immediately forward stolen credentials to a command and control server. Each overlay is stored locally on the device and triggered with precise timing.

Abusing Accessibility Services for Full Surveillance

Sturnus leverages Android Accessibility Services to monitor every action on the screen. It captures keystrokes, UI interactions, and sensitive information even when screen content is protected by anti-recording settings such as FLAG_SECURE.

Remote Control With Dual Communication Channels

Researchers confirmed that Sturnus gives attackers full remote access to infected devices. It uses two communication layers. One streams the device screen using native display capture. A secondary method captures screenshots using Accessibility functions when streaming fails.

Live Interaction Through VNC Technology

These visual captures are transmitted using a VNC-based protocol, giving criminals real-time control. They can scroll, type, tap, or navigate inside apps just like a legitimate user.

Invisible Operation Through Screen Blackouts

Sturnus can darken the victim’s screen so the user cannot see what is happening behind the scenes. Fraudulent activity becomes completely invisible while the attacker works silently.

Bypassing End-to-End Encryption

Unlike typical spyware, Sturnus does not try to break encryption. Instead, it reads decrypted messages directly from the device screen. This allows it to monitor WhatsApp, Telegram, and Signal chats in real time without triggering encryption alerts.

Harvesting Chats and Contact Lists

All conversations, contact lists, message previews, and chat threads viewed on the device can be copied and exfiltrated instantly.

Persistence Through Device Administrator Abuse

Sturnus protects itself by using Android Device Administrator rights. Users trying to uninstall or disable it are redirected away from security settings, effectively blocking removal attempts.

Active System Monitoring and Evasion

The malware constantly scans for SIM changes, new apps, USB debugging, or forensic activity. It adapts behavior depending on the environment to avoid exposure.

Encrypted Communications With Hybrid Protocols

The malware uses RSA and AES encryption and dynamically switches between encrypted and unencrypted modes when communicating over WebSocket or HTTP channels. This hybrid design helps evade network detection tools.

Regional Testing Across Europe

While still considered to be in early testing, Sturnus has been observed in Southern and Central Europe. Despite this limited rollout, its architecture suggests a powerful threat capable of global expansion.

A New Top Tier of Android Threats

Security analysts consider Sturnus one of the most advanced Android banking trojans discovered recently. Its real-time control, message interception, and multilayered concealment make it a serious risk to financial institutions and users worldwide.

What Undercode Say:

Understanding Sturnus Through a Deep Technical Lens

Sturnus represents a shift in mobile malware development. It abandons older, noisy approaches that relied on injecting overlays or stealing SMS codes. Instead, it uses a hybrid surveillance model that mirrors legitimate accessibility-driven automation tools. This design allows extremely granular control over the device, which attackers can weaponize for fraud, espionage, or credential harvesting.

Why Its Overlay System is More Dangerous Than Traditional Phishing

Typical banking trojans require time to download overlays from servers. Sturnus stores them locally. This reduces network activity, lowers detection probability, and ensures instant deployment. Most importantly, the overlays disable themselves after successful theft, leaving almost no footprint.

The Real Threat of Accessibility Exploitation

Accessibility Services create an enormous attack surface. By combining full UI monitoring with keystroke reconstruction, Sturnus can capture information even security-hardened apps try to hide. FLAG_SECURE, a common protection in banking apps, becomes ineffective.

A Surveillance System Closer to Remote Desktop Tools

The dual communication channels used by Sturnus are unusual for trojans. The primary method streams real-time video of the device screen. When blocked, the fallback screenshot-based system activates. This ensures uninterrupted control. The use of VNC protocols is especially concerning because it indicates professional engineering, not amateur or mass-market malware development.

Invisible Fraud Through Screen Blackouts

The ability to dim or blacken the screen is a tactic seen in only the most advanced mobile malware families. This lets attackers initiate bank transfers, change security settings, or access messaging apps without raising suspicion. It also frustrates investigations because victims often cannot identify when the fraud occurred.

End-to-End Encryption No Longer a Barrier

Sturnus highlights a painful truth. Encryption is only effective until the data reaches the device screen. By scraping decrypted content, attackers can access sensitive conversations across messaging platforms once considered safe. This approach bypasses the very protections users rely on.

Stealth, Persistence, and Anti-Forensic Behavior

The trojan’s ability to detect SIM swaps, USB debugging, or reverse-engineering attempts shows its creators understand digital forensics. This suggests a well-funded and experienced threat group. Its manipulation of Device Administrator rights makes removal extremely difficult.

Hybrid Encryption for Network Evasion

Switching between encrypted and plaintext communication allows it to blend with normal traffic patterns. Many security products look for consistent encryption signatures or abnormal payloads. Sturnus avoids this by alternating modes, making its communication harder to track.

Why This Testing Phase Should Be a Warning to the World

If the current version is only a test, the final release could incorporate new exploits, additional communication protocols, or refined overlays targeting banks outside Europe. Threat actors often test malware in smaller regions before scaling globally.

Industry Readiness and Response Gaps

Most mobile security solutions focus on detecting overlays, SMS interception, or known malware signatures. Sturnus breaks these rules. Its architecture reduces reliance on standard malware behaviors. Without deeper behavioral analytics, most devices remain vulnerable.

🔍 Fact Checker Results

The malware uses local HTML phishing overlays. ✅ True

Sturnus breaks encryption of WhatsApp or Signal. ❌ False, it reads decrypted content from the screen.

The trojan is confirmed to be globally deployed. ❌ False, it is currently limited to Europe.

📊 Prediction

Sturnus is likely only the beginning of a new generation of mobile banking trojans. Criminal groups will adopt similar real-time screen scraping, dual remote-control channels, and hybrid encryption methods. Expect more malware families to copy this architecture, expand beyond Europe, and target financial apps across North America and Asia. Mobile security teams may need to redesign their defenses to focus on behavioral anomalies rather than static signatures. The next wave of Android threats will be quieter, smarter, and far more invasive.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.pinterest.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon