A new Android banking trojan named Sturnus poses significant threats by stealing credentials, reading encrypted messages, and controlling devices, raising alarms in the cybersecurity community.
A new Android banking trojan known as Sturnus is emerging as a formidable threat in the cybersecurity landscape. Although still in its early development stages, Sturnus exhibits capabilities that resemble those of a fully operational malware program.
Once it infects a device, Sturnus can take over the screen, steal banking credentials, and even read encrypted messages from trusted applications. What makes this malware particularly concerning is its ability to operate quietly in the background. Users may believe their messages are secure due to end-to-end encryption, but Sturnus patiently waits for the phone to decrypt these messages before capturing them. Importantly, it does not break encryption; instead, it intercepts messages after they have been decrypted on the device.
According to cybersecurity research firm ThreatFabric, Sturnus employs multiple layers of attack that provide the operator with nearly complete visibility into the infected device. It utilizes HTML overlays that mimic legitimate banking applications, tricking users into entering their credentials. Any information entered is immediately sent to the attacker through a WebView that forwards the data without delay.
In addition to overlays, Sturnus employs an aggressive keylogging system via the Android Accessibility Service. This feature allows it to capture text as users type, track which applications are open, and map every user interface element on the screen. Even if applications block screenshots, the malware continues to monitor the UI tree in real time, enabling it to reconstruct user activity.
Sturnus also monitors popular messaging applications such as WhatsApp, Telegram, and Signal. It waits for these apps to decrypt messages locally before capturing the text displayed on the screen. Consequently, while chats may remain encrypted during transmission, Sturnus gains access to the entire conversation once the message is visible on the device.
Furthermore, the malware includes a comprehensive remote control feature that allows live screen streaming and a more efficient mode that transmits only interface data. This capability enables precise taps, text injection, scrolling, and permission approvals without alerting the victim.
To protect itself, Sturnus acquires Device Administrator privileges, making it difficult for users to remove it. If a user attempts to access the settings page to disable these permissions, the malware detects the action and swiftly diverts the user away from the screen. It also monitors various factors, including battery state, SIM changes, developer mode, and network conditions, to adapt its behavior accordingly. All collected data is sent back to the command-and-control server through a combination of WebSocket and HTTP channels, secured with RSA and AES encryption.
When it comes to financial theft, Sturnus has several methods at its disposal. It can collect credentials through overlays, keylogging, UI-tree monitoring, and direct text injection. In some cases, it can even obscure the user’s screen with a full-screen overlay while the attacker executes fraudulent transactions in the background. As a result, users remain unaware of any illicit activity until it is too late.
To safeguard against threats like Sturnus, users can take several practical steps. First, avoid downloading APKs from forwarded links, dubious websites, Telegram groups, or third-party app stores. Banking malware often spreads through sideloaded installers disguised as updates, coupons, or new features. If an app is not available in the Google Play Store, verify the developer’s official website, check provided hashes, and read recent reviews to ensure the app has not been compromised.
Many dangerous malware variants rely on accessibility permissions, which grant full visibility into the user’s screen and interactions. Device administrator rights are even more powerful, as they can prevent removal. If a seemingly harmless utility app suddenly requests these permissions, users should exercise caution and refrain from granting them. Such permissions should only be granted to trusted applications, such as password managers or accessibility tools.
Installing system updates promptly is crucial, as many Android banking trojans target older devices lacking the latest security patches. Users with devices that no longer receive updates are at a heightened risk, particularly when using financial applications. Additionally, avoid sideloading custom ROMs unless users are confident in how they handle security patches and Google Play Protect.
Android devices come equipped with Google Play Protect, which detects a significant portion of known malware families and alerts users when apps behave suspiciously. For enhanced security and control, users may consider opting for a third-party antivirus application. These tools can notify users when an app attempts to log their screen or take control of their device.
To further protect personal information, users should install robust antivirus software on all their devices. This software can alert users to phishing emails and ransomware scams, helping to safeguard personal data and digital assets.
Many malware campaigns rely on data brokers, leaked databases, and scraped profiles to compile lists of potential targets. If personal information such as phone numbers, email addresses, or social media handles are available on various broker sites, attackers can more easily reach individuals with malware links or tailored scams. Utilizing a personal data removal service can help mitigate this risk by removing personal information from data broker listings.
While no service can guarantee complete removal of personal data from the internet, a data removal service is a prudent choice. These services actively monitor and systematically erase personal information from numerous websites, providing peace of mind and effectively reducing the risk of scammers cross-referencing data from breaches with information found on the dark web.
As Sturnus continues to develop, it stands out for the level of control it offers attackers. It bypasses encrypted messaging, steals banking credentials through multiple methods, and maintains a strong grip on infected devices via administrator privileges and constant environmental checks. Although current campaigns may be limited, the sophistication of Sturnus suggests it is being refined for broader operations. If it achieves widespread distribution, it could become one of the most damaging Android banking trojans in circulation.
For more information on cybersecurity threats and protective measures, visit Cyberguy.com.