Sturnus Android Banking Trojan Enables Device Takeover and Encrypted Chat Theft
A newly discovered Android banking trojan named Sturnus has emerged, targeting financial institutions in Europe and demonstrating advanced capabilities beyond typical mobile malware. Sturnus can capture messages from end-to-end encrypted messaging apps such as Signal, WhatsApp, and Telegram by accessing content after decryption directly from the device screen. The malware also enables full device takeover, credential theft through region-specific HTML overlays, and real-time remote control via VNC sessions. Infection typically begins with malicious APKs disguised as legitimate apps like Google Chrome or Preemix Box, and the malware abuses Android Accessibility services to monitor user activity, capture keystrokes, and manipulate the device interface.
Sturnus communicates with its command-and-control infrastructure using a combination of plaintext, RSA, and AES-encrypted channels, establishing secure connections for both data exfiltration and live monitoring. Once installed, it registers the victim device through a cryptographic exchange and can obtain Device Administrator privileges, allowing it to track password changes, lock the device, and maintain persistence. The trojan is currently under active development and is believed to be distributed via malvertising or direct messages, with researchers noting its private operation and ongoing evaluation phase. Security experts warn that Sturnus represents a significant escalation in Android banking malware sophistication, particularly due to its ability to bypass encrypted messaging protections and facilitate financial fraud.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Researchers warn Sturnus may be preparing for broader deployment
Analysis published with the discovery said Sturnus was being distributed in low volumes and appeared to be in an evaluation phase, but its modular design and existing bank-targeting templates suggested operators were preparing for a larger campaign. Reports also noted its use of plaintext, AES, and RSA-protected communications with command-and-control infrastructure.
Analysis links Sturnus to financial fraud targeting banks in Central and Southern Europe
Researchers reported that Sturnus includes region-specific banking overlays aimed at financial institutions in Southern and Central Europe, indicating a focus on banking credential theft and transaction fraud. The malware was said to support remote control through VNC-like capabilities and conceal attacker actions with full-screen overlays.
Researchers reveal Sturnus can capture decrypted chats from messaging apps
Public reporting disclosed that Sturnus can access message content from Signal, WhatsApp, and Telegram after decryption on the device, effectively bypassing end-to-end encryption protections at the endpoint. The malware was also described as capable of screen capture, UI monitoring, and remote interaction with the victim device.
ThreatFabric discovers the Sturnus Android banking trojan
ThreatFabric identified a new Android banking trojan dubbed Sturnus that steals banking credentials, abuses Android accessibility features, and can take near-total control of infected devices. Researchers assessed it as being in development or limited testing rather than a fully scaled campaign.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Sturnus Trojan Bypasses WhatsApp/Signal Encryption & Takes Over Android Devices
securityonline.info
Open sourceMobile Security & Malware Issue 3st Week of November, 2025
asec.ahnlab.com
Open sourceNew Sturnus Android Malware Reads WhatsApp, Telegram, Signal Chats via Accessibility Abuse
hackread.com
Open sourceMulti-threat Android malware Sturnus steals Signal, WhatsApp messages
bleepingcomputer.com
Open sourceSturnus: New Android banking trojan targets WhatsApp, Telegram, and Signal
securityaffairs.com
Open sourceNew Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices
thehackernews.com
Open sourceNew Android malware can capture private messages, researchers warn
therecord.media
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Emergence of Sturnus Android Banking Malware and General Mobile Spyware Threats
A new Android banking malware named **Sturnus** has been identified by security researchers, exploiting Android’s accessibility features to stealthily monitor user activity, intercept chats, and recreate fake banking app interfaces to steal sensitive financial data. The malware is distributed via malicious APK files outside the Google Play Store and can prevent its own uninstallation, raising the risk for users who sideload apps. Google has stated that no apps containing Sturnus have been found on the Play Store and that Google Play Protect provides automatic protection against known variants, but users are still advised to exercise caution when installing apps from untrusted sources. More broadly, spyware remains a significant threat to mobile device users, with various forms capable of tracking, recording, and stealing data from both iOS and Android phones. Spyware can be disguised as legitimate applications or delivered through phishing, and may include nuisanceware that focuses on ad revenue or more dangerous variants like stalkerware. Users are encouraged to watch for unusual device behavior, unknown apps, or data spikes, and to use antivirus tools, keep devices updated, and avoid untrusted app sources to mitigate these risks.
Mar 21, 2026
Android Banking Trojan Masquerades as News and ID Apps to Steal Credentials and Crypto
A sophisticated Android banking Trojan, identified as Android/BankBot-YNRK, has been discovered targeting users primarily in Indonesia and potentially other Southeast Asian countries. The malware disguises itself as legitimate applications, including news readers and digital ID apps such as "Identitas Kependudukan Digital," to trick users into installation. Once installed, it leverages Android's accessibility features and device administrator privileges to gain extensive control over the device, allowing it to read on-screen content, simulate user actions, and overlay fake login screens on top of real banking and cryptocurrency apps to harvest credentials. The Trojan employs advanced evasion techniques, such as checking for emulators to avoid detection, obfuscating its code, and muting device notifications to operate stealthily. It connects to a remote command-and-control server to exfiltrate sensitive data, including banking credentials and cryptocurrency wallet keys, and can receive further instructions to update itself or erase traces. The malware's primary objective is financial theft, enabling attackers to drain victims' bank accounts and crypto wallets without their knowledge. Security researchers note that the malware's abuse of accessibility permissions is mitigated in Android 14, which requires explicit user approval for such access, but devices running Android 13 and earlier remain vulnerable.
Mar 21, 2026
Four Android Banking Trojans Target 800+ Apps With MFA-Bypassing Overlays
Zimperium zLabs identified four Android malware families—**RecruitRat, SaferRat, Astrinox, and Massiv**—in active campaigns targeting users of more than **800 banking, cryptocurrency, and social media apps**. The malware is being spread through phishing sites, smishing messages, fake job application and streaming lures, counterfeit app-store pages, and bogus updates that trick victims into installing malicious APKs. Researchers said the campaigns rely heavily on overlay attacks, with fake login screens placed over legitimate apps to steal credentials; **RecruitRat** alone reportedly includes more than **700** fraudulent login pages. Once installed, the trojans abuse Android features including **Accessibility Services**, the **Session Installation API**, **MediaProjection**, overlays, and **WebView** to gain persistence, intercept SMS and one-time passwords, log keystrokes, enumerate apps, steal contacts, freeze screens, stream displays, and remotely control infected devices. The malware also uses anti-analysis techniques such as APK tampering, encrypted strings, reflection, dynamic DEX loading, and environment-aware execution, while command-and-control traffic is sent over HTTPS or WebSockets, with RecruitRat additionally using **RC4** encryption. Researchers warned the activity creates enterprise risk because infected employee devices can enable account takeover, bypass MFA, and expose corporate resources.
Apr 20, 2026