Emergence of Sturnus Android Banking Malware and General Mobile Spyware Threats
A new Android banking malware named Sturnus has been identified by security researchers, exploiting Android’s accessibility features to stealthily monitor user activity, intercept chats, and recreate fake banking app interfaces to steal sensitive financial data. The malware is distributed via malicious APK files outside the Google Play Store and can prevent its own uninstallation, raising the risk for users who sideload apps. Google has stated that no apps containing Sturnus have been found on the Play Store and that Google Play Protect provides automatic protection against known variants, but users are still advised to exercise caution when installing apps from untrusted sources.
More broadly, spyware remains a significant threat to mobile device users, with various forms capable of tracking, recording, and stealing data from both iOS and Android phones. Spyware can be disguised as legitimate applications or delivered through phishing, and may include nuisanceware that focuses on ad revenue or more dangerous variants like stalkerware. Users are encouraged to watch for unusual device behavior, unknown apps, or data spikes, and to use antivirus tools, keep devices updated, and avoid untrusted app sources to mitigate these risks.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
ZDNet publishes guidance on detecting and removing phone spyware
ZDNet published an overview of smartphone spyware risks, including stalkerware and advanced surveillance tools, and outlined warning signs, mitigation steps, and the limits of factory resets against sophisticated infections. The article also noted ongoing platform efforts by Google and Apple to remove malicious apps and improve device security.
Android Authority reports on Sturnum Android banking malware
Android Authority published a report about Sturnum, describing it as new Android banking malware capable of stealthily compromising phones for banking fraud. The reference indicates the malware was active and notable enough to warrant a security warning to users.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Sturnus Android Banking Trojan Enables Device Takeover and Encrypted Chat Theft
A newly discovered Android banking trojan named **Sturnus** has emerged, targeting financial institutions in Europe and demonstrating advanced capabilities beyond typical mobile malware. Sturnus can capture messages from end-to-end encrypted messaging apps such as Signal, WhatsApp, and Telegram by accessing content after decryption directly from the device screen. The malware also enables full device takeover, credential theft through region-specific HTML overlays, and real-time remote control via VNC sessions. Infection typically begins with malicious APKs disguised as legitimate apps like Google Chrome or Preemix Box, and the malware abuses Android Accessibility services to monitor user activity, capture keystrokes, and manipulate the device interface. Sturnus communicates with its command-and-control infrastructure using a combination of plaintext, RSA, and AES-encrypted channels, establishing secure connections for both data exfiltration and live monitoring. Once installed, it registers the victim device through a cryptographic exchange and can obtain Device Administrator privileges, allowing it to track password changes, lock the device, and maintain persistence. The trojan is currently under active development and is believed to be distributed via malvertising or direct messages, with researchers noting its private operation and ongoing evaluation phase. Security experts warn that Sturnus represents a significant escalation in Android banking malware sophistication, particularly due to its ability to bypass encrypted messaging protections and facilitate financial fraud.
Mar 21, 2026
Surge in Android Malware and Pre-Installed Threats Targeting Mobile Users
Multiple security researchers have reported a significant escalation in Android-targeted threats, including the discovery of new malware families, pre-installed trojans, and spyware on both counterfeit and budget smartphones. The Triada trojan continues to be found pre-installed on counterfeit Android devices, granting attackers full device control and enabling credential theft, botnet enrollment, and unauthorized access to sensitive apps. In parallel, certain budget Samsung phones have reportedly shipped with an unremovable system app, AppCloud, described as spyware that collects sensitive user data and cannot be removed without voiding the warranty. These findings highlight the persistent risks associated with purchasing devices from untrusted sources and the growing sophistication of supply chain threats. The overall threat landscape for Android users has intensified in 2025, with a marked increase in malware, adware, and potentially unwanted program (PUP) detections. Attackers are shifting from nuisance apps to more covert tools capable of harvesting data, intercepting messages, and facilitating account takeovers. The rise in SMS-based attacks and the integration of advanced capabilities, such as one-time passcode theft, underscore the need for heightened vigilance and robust mobile security practices. Security experts emphasize the importance of verifying device integrity, using only official firmware, and implementing strict security policies to mitigate these evolving threats.
Mar 21, 2026
Emergence of Advanced Android Malware Targeting App Stores and Banking Credentials
A new wave of Android malware is leveraging sophisticated techniques to evade detection and compromise user devices. The Cellik malware-as-a-service (MaaS) platform enables cybercriminals to create trojanized versions of legitimate Google Play Store apps, embedding malicious payloads while preserving the original app's interface and functionality. This approach allows attackers to bypass security controls such as Play Protect and remain undetected for extended periods. Cellik offers features including real-time screen streaming, notification interception, filesystem browsing, data exfiltration, and a hidden browser mode for session hijacking, all managed through an encrypted command-and-control channel. In parallel, other Android malware campaigns such as NexusRoute and FvncBot are targeting users by impersonating trusted government and banking applications. NexusRoute focuses on Indian citizens by distributing fake mParivahan and e-Challan apps through phishing sites and GitHub repositories, enabling credential theft, device surveillance, and unauthorized financial transactions. FvncBot, meanwhile, disguises itself as a banking-security app and exploits accessibility and VNC features to capture keystrokes, stream screens, and inject fraudulent transactions within genuine banking apps. These developments highlight the increasing sophistication and commercial availability of Android malware, posing significant risks to mobile users and financial institutions alike.
Mar 21, 2026