Sturnus Trojan: the banking malware that spies on WhatsApp

Sturnus is a banking trojan for Android that steals credentials and intercepts messages from encrypted apps like WhatsApp, Telegram, and Signal.
It abuses the Android Accessibility Service to read everything on the screen and control the device remotely using VNC-type sessions.
It is distributed as a malicious APK that masquerades as well-known apps (e.g., Google Chrome) and primarily targets banks in Central and Southern Europe.
It uses encrypted communications (HTTPS, RSA, AES, WebSocket) and requests administrator privileges to remain persistent and complicate its removal.

Un New banking Trojan for Android called Sturnus has turned on the alarms in the European cybersecurity sectorThis malware is not only designed to steal financial credentials, but it is also capable of reading WhatsApp, Telegram, and Signal conversations and take almost complete control of the infected device.

The threat, identified by researchers from ThreatFabric and analysts cited by BleepingComputer, are still in a early deployment phasebut it already demonstrates a unusual level of sophisticationAlthough the campaigns detected so far are limited, experts fear they are tests before a larger-scale offensive against users of Mobile banking in Central and Southern Europe.

What is Sturnus and why is it causing so much concern?

Sturnus malware banks

Sturnus is a banking trojan for Android which combines several dangerous capabilities into a single package: theft of financial credentials, spying on encrypted messaging apps, and remote control of the phone using advanced accessibility techniques.

According to the technical analysis published by ThreatFabricThe malware is developed and operated by a private company with a clearly professional approach. Although the code and infrastructure still appear to be evolving, the analyzed samples are fully functional, Indicating that The attackers are already testing the Trojan on real victims..

The researchers indicate that, for now, the detected targets are concentrated in clients of European financial institutionsespecially in the central and southern parts of the continent. This focus is evident in the fake templates and screens integrated into the malware, specifically designed to mimic the appearance of local banking applications.

Exclusive content - Click Here Telegram Passkeys: What they are and how to activate this new login method

This combination of regional focus, high technical sophistication and testing phase This makes Sturnus seem like an emerging threat with growth potential, similar to previous banking trojan campaigns that started discreetly and ended up affecting thousands of devices.

How it spreads: fake apps and covert campaigns

invisible malware

The distribution of Sturnus relies on malicious APK files that masquerade as legitimate and popular apps. The researchers have identified packages that mimic, among others, to Google Chrome (with obfuscated package names like com.klivkfbky.izaybebnx) or seemingly harmless apps like Preemix Box (com.uvxuthoq.noscjahae).

Although the exact diffusion method It has not yet been determined with certainty, but the evidence points to campaigns of phishing and malicious adsas well as private messages sent through messaging platforms. These messages redirect to fraudulent websites where the user is invited to download supposed updates or utilities that, in reality, are the Trojan installer.

Once the victim installs the fraudulent application, Sturnus requests Accessibility permissions and in many cases device administrator privilegesThese requests are disguised as seemingly legitimate messages, claiming they are necessary to provide advanced features or improve performance. When the user grants these critical permissions, the malware gains the ability to see everything that happens on screeninteracting with the interface and preventing its uninstallation through the usual channels is key, so it's crucial to know how to remove malware from android.

Theft of banking credentials through overlay screens

Generic representation of Sturnus malware on Android

One of Sturnus' classic, yet still very effective, functions is the use of overlay attacks to steal banking data. This technique involves showing fake screens over legitimate apps, faithfully mimicking the interface of the victim's bank app.

When the user opens their banking app, the Trojan detects the event and displays a fake login or verification window, requesting username, password, PIN or card detailsFor the affected person, the experience seems completely normal: the visual appearance replicates the logos, colors, and texts of the real bank.

Exclusive content - Click Here How do I know if I have a virus?

As soon as the victim enters the information, Sturnus sends the credentials to the attackers' server using encrypted channels. Shortly after, it can close the fraudulent screen and return control to the real app, so the user barely notices a slight delay or strange behavior, which often goes unnoticed. After such a theft, it is crucial Check if your bank account has been hacked.

Additionally, the Trojan is capable of record keystrokes and behaviors within other sensitive applications, which expands the type of information it can steal: from passwords to access online services to verification codes sent by SMS or messages from authentication apps.

How to spy on WhatsApp, Telegram, and Signal messages without breaking encryption

The most unsettling aspect of Sturnus is its ability to read messaging conversations that use end-to-end encryptionsuch as WhatsApp, Telegram (in its encrypted chats), or Signal. At first glance, it might seem that the malware has managed to compromise the cryptographic algorithms, but the reality is more subtle and worrying.

Instead of attacking the transmission of messages, Sturnus leverages the Android Accessibility Service to monitor the applications displayed in the foreground. When it detects that the user opens one of these messaging apps, the Trojan simply... read directly the content that appears on the screen.

In other words, it does not break the encryption in transit: wait for the application itself to decrypt the messages and display them to the user. At that moment, the malware can access the text, contact names, conversation threads, incoming and outgoing messages, and even other details present in the interface.

This approach allows Sturnus completely bypass end-to-end encryption protection without needing to break it from a mathematical point of view. For attackers, the phone acts as an open window that reveals information that, in theory, should remain private even from intermediaries and service providers.

Exclusive content - Click Here What features does the Norton AntiVirus for Mac firewall add?

Protection measures for Android users in Spain and Europe

mobile security

Faced with threats like Sturnus, the Security experts recommend reinforcing several basic habits in daily mobile phone use:

Avoid installing APK files obtained outside the official Google store, unless they are from fully verified and strictly necessary sources.
Review carefully the permissions requested by applicationsAny app that requests access to the Accessibility Service without a very clear reason should raise red flags.
Be wary of requests from device administrator privilegeswhich in most cases are not necessary for the normal functioning of a standard app.
Keep Google Play Protect and other security solutions Actively update the operating system and installed apps regularly, and periodically review the list of applications with sensitive permissions.
be attentive to strange behaviors (suspicious bank screens, unexpected credential requests, sudden slowdowns) and act immediately at any warning sign.

In case of suspected infection, one possible response is manually revoke administrator and accessibility privileges From the system settings, uninstall any unknown apps. If the device continues to show symptoms, it may be necessary to back up essential data and perform a factory reset, restoring only what is absolutely necessary.

The appearance of Sturnus confirms that the The Android ecosystem remains a priority target This Trojan, designed for criminal groups with resources and financial motivation, combines bank theft, encrypted messaging espionage, and remote control into a single package. It leverages accessibility permissions and encrypted communication channels to operate stealthily. In a context where more and more users in Spain and Europe rely on their mobile phones to manage their money and private communications, staying vigilant and adopting good digital practices becomes crucial to avoid falling victim to similar threats.

How to detect if your Android phone has spyware and remove it step by step

Detect and remove spyware on Android: step-by-step guide

Alberto navarro

I am a technology enthusiast who has turned his "geek" interests into a profession. I have spent more than 10 years of my life using cutting-edge technology and tinkering with all kinds of programs out of pure curiosity. Now I have specialized in computer technology and video games. This is because for more than 5 years I have been writing for various websites on technology and video games, creating articles that seek to give you the information you need in a language that is understandable to everyone.

If you have any questions, my knowledge ranges from everything related to the Windows operating system as well as Android for mobile phones. And my commitment is to you, I am always willing to spend a few minutes and help you resolve any questions you may have in this internet world.