New Android Trojan ‘Sturnus’ Threatens Banking Security by Stealing Credentials and Reading Encrypted Chats
WASHINGTON, D.C. — A newly discovered Android banking trojan named Sturnus is emerging as one of the most dangerous mobile threats in recent memory, capable of stealing banking credentials, reading encrypted messages, and remotely controlling infected devices with alarming stealth. Cybersecurity researchers warn that while still in early development, Sturnus already operates like a fully mature malware, silently compromising victims’ phones and financial data.
Sturnus targets users through deceptive overlays that mimic legitimate banking apps downloaded from the Google Play Store, tricking victims into entering their login credentials. These credentials are instantly relayed to attackers via embedded web components, allowing cybercriminals to access bank accounts within seconds. Beyond credential theft, the malware exploits Android’s Accessibility Service to implement an aggressive keylogging function, capturing every keystroke and monitoring which apps are active. This enables attackers to reconstruct user activity even when apps attempt to block screenshots or other forms of direct data capture.
Perhaps most concerning is Sturnus’s ability to read messages from popular encrypted chat applications such as WhatsApp, Telegram, and Signal. Although these apps use end-to-end encryption to protect messages during transmission, Sturnus waits for the phone itself to decrypt messages locally and then captures the text directly from the screen. This method bypasses network encryption without breaking it, exposing private conversations to attackers.
In addition to data theft, Sturnus includes a full remote control capability, allowing attackers to stream the victim’s screen live and manipulate the device remotely. This includes precise taps, text injections, scrolling, and even granting permissions—all without alerting the user. To maintain persistence, the malware gains Device Administrator privileges, preventing users from uninstalling it. Attempts to access settings to remove the malware are thwarted as Sturnus detects and immediately redirects users away from critical system pages.
The malware’s operators also monitor device conditions such as battery state, SIM card changes, developer mode activation, and network environment to evade forensic investigations and adjust their behavior accordingly. Data collected is sent to command-and-control servers using encrypted channels, ensuring ongoing control and stealth.
Experts from cybersecurity firm ThreatFabric, who analyzed Sturnus, emphasize the importance of vigilance and recommend users only download apps from trusted sources and keep devices updated with the latest security patches. The Cybersecurity and Infrastructure Security Agency (CISA) has issued warnings about banking trojans like Sturnus and urges users to enable multi-factor authentication and monitor financial accounts for suspicious activity.
Google’s Android Security Team continues to improve detection methods against such threats, but the evolving sophistication of malware like Sturnus poses ongoing challenges. The Federal Bureau of Investigation’s Cyber Division encourages victims of banking malware to report incidents promptly to help track and disrupt criminal networks.
As mobile banking becomes increasingly ubiquitous, the emergence of trojans like Sturnus highlights the critical need for comprehensive mobile security awareness. Users should remain cautious of unsolicited app downloads and suspicious links, regularly review app permissions, and consider installing reputable mobile security software to mitigate risks.
Leave a Reply