WhatsApp and Telegram are two of the most widely used instant messaging platforms globally, relied on by billions for secure communication. However, a new Android banking trojan called Sturnus has raised significant alarm by proving capable of breaching this security barrier. According to ThreatFabric, as reported by The Hacker News, Sturnus can bypass encrypted messaging by capturing screen content directly after decryption. This allows it to monitor chats on WhatsApp, Telegram, and Signal. The malware is even more dangerous because it can perform overlay attacks, displaying fake login screens over legitimate banking apps to steal user credentials. Currently, Sturnus is in its evaluation phase and has been spread through malicious apps disguised as Google Chrome and Preemix Box.
Sturnus Trojan: Advanced Overlays, Device Control, and Stealth Attacks
Sturnus is engineered to target financial institutions across Southern and Central Europe using region-specific overlays tailored to each bank. The malware’s communication methods—mixing plaintext, RSA, and AED encryption—mirror the vocal mimicry of the European Starling, from which its name is derived. Once installed, the trojan communicates with remote servers over HTTP and WebSocket channels, registering the infected device and receiving encrypted commands. It even opens a WebSocket channel for live control of the compromised phone through Virtual Network Computing (VNC), enabling attackers to interact with the device in real time.
Beyond credential theft, Sturnus abuses Android’s accessibility services to record UI interactions, capture keystrokes, and steal chat content whenever messaging apps are opened. It can also display a deceptive full-screen overlay mimicking a system update screen to hide its background activity. The malware is extremely stubborn to remove; until its administrator rights are manually revoked, it cannot be uninstalled, even with ADB tools. This gives attackers prolonged, undetected access to the victim’s device, enabling large-scale financial fraud.
Sturnus: A Dangerous Fraud Engine with Growing Reach
The potential damage caused by Sturnus is extremely high, as it is not just a surveillance tool but a complete fraud engine capable of draining bank accounts. While its spread currently appears limited, experts warn that it could rapidly expand. Users can protect themselves by never installing apps from unverified or unknown sources, being cautious of excessive permission requests, and enabling banking alerts to detect suspicious activity immediately.
Summary:
Sturnus is a powerful Android banking trojan that bypasses encrypted messaging, steals credentials through screen capture and fake overlays, and gives attackers full device control. It targets European banks, abuses accessibility services, and is difficult to remove. Though its spread is limited, experts warn of rapid expansion, urging strict app-installation caution.
