Key Findings

• Sturnus is a new Android banking trojan with full device-takeover capabilities

• It targets secure messaging apps like WhatsApp, Telegram, and Signal to bypass encryption and steal sensitive data

• Sturnus employs sophisticated techniques like HTML overlays and accessibility-based keylogging to capture on-screen content, including messages, contacts, and credentials

• The malware enables remote control of infected devices through screen mirroring and a structured UI mapping system

• Sturnus strengthens persistence by securing device administrator rights and monitoring system changes to evade detection

Background

Sturnus is a new and highly capable Android banking trojan that has emerged as a significant threat, particularly for users of secure messaging applications like WhatsApp, Telegram, and Signal. Discovered by the cybersecurity firm ThreatFabric, this malware is designed to bypass the end-to-end encryption used by these communication platforms and steal sensitive user data.

Bypassing Encryption

Sturnus employs two linked mechanisms to steal data from secure messaging apps: HTML overlays and accessibility-based keylogging. The malware stores phishing templates for targeted banking apps and displays them via a WebView, capturing all user input and sending it to the command-and-control server. After exfiltration, it disables the used overlay to avoid detection.

Additionally, Sturnus utilizes its Accessibility Service to log text changes, clicks, focus shifts, and full UI-tree updates, allowing operators to reconstruct user actions even when screen capture is blocked. This enables the malware to access messages, contacts, and conversation threads in real-time, effectively sidestepping end-to-end encryption.

Remote Control and Persistence

Sturnus enables full remote control of infected devices through two complementary methods: real-time screen mirroring and a fallback system that builds screenshots from Accessibility events. The malware also sends a structured map of on-screen elements, tracking user interactions without using images, which reduces bandwidth usage and avoids detection.

To strengthen its persistence, Sturnus secures Device Administrator rights, monitors unlock events, blocks attempts to revoke privileges, and prevents removal. It also profiles sensors, hardware, and networks to adapt its tactics, evade analysis, and maintain long-term control of the device.

Conclusion

Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices. The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, and comprehensive environmental monitoring creates a dangerous threat to victims' financial security and privacy.

Sources

• https://securityaffairs.com/184878/cyber-crime/sturnus-new-android-banking-trojan-targets-whatsapp-telegram-and-signal.html

• https://hackread.com/eternidade-stealer-whatsapp-steal-banking-data/

• https://www.securityweek.com/new-sturnus-banking-trojan-targets-whatsapp-telegram-signal-messages/

• https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/

• https://x.com/olubunmifadiora/status/1991560867335319952