Sturnus
Sturnus is an Android banking trojan identified by ThreatFabric. It is designed for credential theft and financial fraud, using convincing fake banking login overlays/HTML screens to steal credentials and enabling near-total remote control of infected Android devices. The malware abuses Android Accessibility Services to capture keystrokes, UI elements, and on-screen content, allowing operators to monitor device activity in real time, inject text, press buttons, scroll, launch apps, and reconstruct the device layout remotely. It also supports VNC-style remote control and display capture, and operators can use a black full-screen overlay or fake Android update screen to conceal malicious actions while executing transactions, approving dialogs or MFA prompts, changing settings, or installing apps.
A notable capability of Sturnus is its ability to capture content from end-to-end encrypted messaging applications such as WhatsApp, Telegram, and Signal. Rather than breaking encryption, it reads messages, contacts, and full chat threads after they are decrypted and displayed on the device, using accessibility abuse and screen/UI capture. Sturnus also gathers extensive device profiling data, including installed apps, hardware, sensor, and network information, to adapt its tactics. It can obtain Device Administrator privileges, detect attempts to disable those privileges, navigate users away from relevant settings, and block uninstallation or removal via ADB until admin rights are revoked.
Observed Sturnus artifacts include malicious APKs disguised as Google Chrome (com.klivkfbky.izaybebnx) and Preemix Box (com.uvxuthoq.noscjahae). The malware communicates with remote infrastructure over HTTP/HTTPS and WebSocket, with reporting indicating a mix of plaintext, AES, and RSA-encrypted communications; the name "Sturnus" is noted as referring to this mixed communication pattern. ThreatFabric reported that Sturnus is privately operated, currently in development, evaluation, or limited testing, but already fully functional. It has been configured with region-specific templates targeting banks and financial institutions in Southern and Central Europe, suggesting preparation for broader campaigns.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
4 distinct techniques documented for this family, organized by ATT&CK tactic.
Persistence
1 technique
Persistence
Privilege Escalation
1 technique
Privilege Escalation
Credential Access
2 techniques
Credential Access
Recent activity
11 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan enabling credential theft and device takeover; captures content from screen post-decryption to bypass encrypted messaging protections.
Android malware that intercepts decrypted messages from messaging apps such as WhatsApp, Telegram, and Signal.
An Android banking trojan with capabilities to steal banking credentials and dump chats from secure messaging apps.
Sturnus is a mobile banking malware that bypasses encryption in messaging apps like WhatsApp, Telegram, and Signal to steal sensitive information.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.