Key Findings

• New Android banking trojan called Sturnus enables credential theft and full device takeover for financial fraud

• Key differentiator is ability to bypass encrypted messaging on apps like WhatsApp, Telegram, and Signal

• Captures content directly from device screen after decryption, allowing monitoring of private communications

• Stages overlay attacks to steal banking credentials and leverages accessibility services for extensive device control

• Blocks uninstallation attempts and maintains persistent administrative rights on infected devices

• Tailored for targeted attacks against financial institutions in Southern and Central Europe

Background

Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud. This malware stands out for its ability to bypass encrypted messaging apps, allowing the attackers to monitor supposedly private communications.

Bypassing Encrypted Messaging

A key feature of Sturnus is its capability to bypass the encryption used by popular messaging apps like WhatsApp, Telegram, and Signal. Instead of attempting to break the network encryption, the trojan leverages the Android Accessibility Service to capture screen content after the legitimate app has decrypted it for the user. This gives the attacker a direct, real-time view into private conversations, contacts, and message content.

Overlay Attacks and Device Takeover

Sturnus is also designed for comprehensive fraud. It can harvest banking credentials using convincing fake login screens, known as "overlay attacks". The malware also grants attackers extensive remote control over the infected device, allowing them to observe all user activity and even "black out the device screen while executing fraudulent transactions in the background—without the victim's knowledge".

Persistence and Evasion

The trojan ensures its persistence by abusing Android Device Administrator privileges. It actively monitors when a user attempts to disable its status and automatically navigates away to block the removal attempt. Additionally, its command-and-control connection uses a complex mix of protocols and strong encryption, enabling real-time control and dynamic adaptation of tactics.

Targeted Approach

Sturnus is specifically configured to target financial institutions across Southern and Central Europe. This suggests the attackers are refining their tooling ahead of a broader or more coordinated campaign in the region.

Sources

• https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html

• https://securityonline.info/sturnus-trojan-bypasses-whatsapp-signal-encryption-takes-over-android-devices/

• https://x.com/shah_sheikh/status/1991476928251884004

• https://radar.offseq.com/threat/new-sturnus-android-trojan-quietly-captures-encryp-4fcb76b0

• https://www.youtube.com/watch?v=UBo1Klq-Ung

• https://www.reddit.com/r/pwnhub/comments/1p26kin/new_sturnus_android_trojan_steals_credentials_and/