In 2025, the rise of secure messaging applications such as WhatsApp, Signal, or Telegram has significantly strengthened the confidentiality of digital exchanges. However, a new major threat comes to compromise this precious balance: the Android Trojan named Sturnus. This sophisticated malware infiltrates smartphones with alarming discretion, exploiting vulnerabilities in Android systems to intercept encrypted messages in real time and steal bank credentials. Initially discovered in Southern and Central Europe, Sturnus represents a formidable step in digital espionage and hacking, undermining users’ trust in their secure communication tools.
The modus operandi of Sturnus amazes with its engineering: it does not seek to break the encryption itself but to directly insert itself into the decrypted flow at the screen level. Through this method, it steals not only conversations but also sensitive authentication information, offering hackers full control over the infected device. Under the cover of its discretion and apparent invisibility, this banking Trojan extends its reach into the financial spheres, demonstrating the crucial importance of reinforced cybersecurity to protect our personal data, even on so-called unbreakable platforms.
- 1 Sturnus: an Android banking Trojan targeting popular secure messaging apps
- 2 Sophisticated methods to bypass encryption: how Sturnus undermines app security
- 3 Full control and persistence on the infected device: the dangers of extended takeover
- 4 The cybersecurity challenges posed by Sturnus: discreetly protecting Android users
Sturnus: an Android banking Trojan targeting popular secure messaging apps
Sturnus deploys a sophisticated strategy by leveraging mechanisms specific to the Android system to infiltrate encrypted messaging applications such as WhatsApp, Signal, and Telegram. This malware family is distinguished by its unique ability to capture decrypted exchanges in real time on the screen, thus avoiding any direct confrontation with end-to-end encryption. This innovative process allows Sturnus to collect conversations that are supposedly secure, dangerously undermining users’ expectation of confidentiality.
Specifically, Sturnus uses predefined functions of the Android accessibility service, a tool originally intended to assist disabled people, to observe and interpret every interaction with the user interface. By exploiting this dual functionality, the malware manages to monitor the targeted applications’ activities, record keystrokes, and above all, interpret what is displayed on the screen. This ability to manipulate the interface, both to spy and to interfere, grants Sturnus extensive power that goes far beyond simple message interception.
The efficiency of this Trojan also rests on its cleverness in camouflage. Indeed, Sturnus is able to hide its traces, notably by automatically disabling HTML overlays once data collection is completed. This technique reduces the risk of detection by the user and security tools. Added to this is a worrying capability: the software can block the screen display while it executes fraudulent transactions completely unbeknownst to the victim. Thus, the intruder ensures extreme stealth during its illegal operations.
The main geographical area of operation for Sturnus is currently concentrated in Southern and Central Europe, where it notably targets financial institutions and their clients. Although the Trojan is still in a testing or advanced development phase, it is already fully functional and ready for deployment on a larger scale, which represents an imminent risk to the digital security of Android users in these regions and beyond.
Sophisticated methods to bypass encryption: how Sturnus undermines app security
The core of the Sturnus threat lies in its ability to circumvent cryptographic protections without attempting to forcibly break them. Rather than attacking the encryption, this Trojan hacks data precisely at the moment they are decrypted and displayed to the user. To achieve this, Sturnus employs two tightly coupled mechanisms: phishing HTML overlays and a keystroke logger via the Android accessibility service.
The first mechanism consists of an internal collection of persistent HTML templates within the malicious application’s directory. Each template corresponds to a targeted banking application. The malware launches these overlays when it detects the opening of a particular app, displaying fake login screens designed to perfectly mimic legitimate banks’. As soon as the victim enters their credentials, this confidential information is instantly sent to the attacker’s remote control server.
Simultaneously, Sturnus exploits the Android accessibility service to capture not only keyboard strokes but also all modifications and interactions on the screen. This function is usually used to facilitate access and navigation for users with disabilities but, when hijacked, it gives the Trojan privileged access to all visible and entered information. Through this method, Sturnus collects a continuous stream of structured data, simulating live monitoring of the device and its activity.
The best secure messaging applications cannot defend themselves against this type of intrusion because they neither control nor oversee what is displayed system-wide nor what is typed on the keyboard. By integrating at this operational level, Sturnus achieves a technological tour de force, combining discreet espionage and social engineering techniques to compromise both personal and financial user data.
Full control and persistence on the infected device: the dangers of extended takeover
The threat posed by Sturnus is not limited to data exfiltration. Once infiltrated, this banking Trojan grants itself near-absolute power over the smartphone. It installs a complete remote control that allows malicious operators to monitor all device activity and interact with it as if they were physically present.
This control is exercised through two main screenshot capture methods: a classic capture and a capture using accessibility services as a fallback solution. The visual data are then compressed, encoded, and continuously transmitted to the hackers’ server via a specific protocol called VNC RFB, which ensures smooth management of remote interactions.
Furthermore, monitoring is not limited to raw images. An additional layer transmits a detailed and structured textual description of interface elements, enabling attackers to precisely identify buttons, text fields, and other commands to manipulate automatically. This capability to map the screen is a major innovation that multiplies hacking possibilities, rendering the device completely vulnerable.
To maintain its presence on the system, Sturnus actively requests and protects its Android administrator privileges. These rights allow it to:
- Monitor password changes and remotely lock the device screen,
- Prevent malware removal by intercepting attempts to access sensitive settings,
- Detect any system modification or app installation, immediately sending an alert,
- Continuously collect information about sensors, network connectivity, and active SIM cards to adapt its behavior and remain stealthy, even in analysis environments.
Thanks to these features, the Trojan becomes extremely resilient and difficult to eradicate by an average user, highlighting the danger posed by a Sturnus infection. It thus establishes permanent, sometimes undetectable, espionage of the victim’s private and professional activities.
The cybersecurity challenges posed by Sturnus: discreetly protecting Android users
Faced with the growing threat posed by Sturnus, cybersecurity professionals warn of the need to adopt strengthened and adapted measures. The Trojan’s stealthy nature forces a rethinking of current protection mechanisms, both at the user level and among app developers and smartphone manufacturers.
Among essential preventive measures are:
- Increased vigilance when downloading apps, notably by avoiding unofficial third-party sources that are often infection vectors.
- Temporary disabling of the accessibility service on Android when it isn’t necessary, to prevent abusive exploitation by malware.
- Regular updates of the operating system and apps to benefit from the latest security patches that reduce exploitable vulnerabilities.
- Use of reputed antivirus and antimalware solutions that can detect and block certain Trojan components, even if total apprehension remains difficult.
- User awareness of phishing attempts, particularly regarding fake banking login pages used by Sturnus for data theft.
| Preventive Measures | Description | Advantages |
|---|---|---|
| Install only from Play Store | Limit downloads to official Android app sources. | Reduces the risk of infection by unknown malware. |
| Disable accessibility service | Prevents malware from exploiting accessibility privileges. | Blocks a main spying and keystroke logging pathway. |
| Regular updates | Apply patches to close system vulnerabilities. | Limits exposure to attacks. |
| Antivirus software | Use security solutions dedicated to mobile devices. | Detects some malware and reduces infection impact. |
| Phishing risk awareness | Inform users about dangers related to phishing and fake banking pages. | Reduces the risk of data theft through social engineering. |
Moreover, financial sector actors and developers of secure messaging platforms must collaborate to strengthen security layers and consider solutions to detect and prevent attacks using system-level levers like those employed by Sturnus. By combining innovation and vigilance, it becomes possible to limit the impact of this type of spyware malware, which threatens the confidentiality and integrity of private communications in the digital age.
