Sturnus Trojan: A Dangerous New Threat Targeting WhatsApp and Banking Apps

A new Android banking trojan named Sturnus has raised serious concerns among security experts. The malware is still in development, but it is already powerful and fully functional. Sturnus Trojan can capture messages from end-to-end encrypted apps like WhatsApp, Signal, and Telegram. It can also take complete control of an infected device.

Researchers say Sturnus has been designed to target users in Europe. It uses special “region-specific overlay templates” to trick victims into giving away banking details. This means it displays fake screens that resemble real banking apps. Users enter their details, and those details go straight to the attackers.

Sturnus Trojan: A Dangerous New Threat Targeting WhatsApp and Banking Apps

What makes Sturnus especially dangerous is its advanced communication system. It uses plaintext, RSA, and AES encryption to talk to its command-and-control (C2) server. This is more complex than what most Android malware uses today.

A report from ThreatFabric explains how Sturnus works. The malware can steal messages from secure apps by reading them directly from the screen. It does not break encryption. Instead, it waits until the message is decrypted on the phone and then captures it. This allows the attacker to see private chats in real time.

Sturnus can also steal banking details using HTML overlays. It supports full remote control through a real-time VNC session. This gives the attacker the ability to operate the phone as if they were holding it in their hands.

Researchers believe the malware is disguised as apps like Google Chrome or Preemix Box. However, they still do not know how it spreads. It could be shared through fake websites, links, or third-party app stores.

Once the malware is installed, it connects to the C2 server. It creates secure communication channels. It uses HTTPS for commands and data, and AES-encrypted WebSockets for remote control functions.

Sturnus abuses Android Accessibility services. With these permissions, it can read text on the screen, capture keystrokes, detect which apps are running, and even press buttons. It can scroll, inject text, and open apps without the user knowing.

See Also: WhatsApp Exposed Phone Numbers of 3.5 Billion Users, Researchers Reveal

The malware also asks for Device Administrator privileges. This gives it deeper control. It can monitor password changes, lock the phone, and block attempts to remove it. According to ThreatFabric, users cannot uninstall the malware normally until they manually remove its admin rights.

When apps like WhatsApp, Signal, or Telegram are opened, Sturnus starts reading everything. It can see messages, contacts, and typed text. Because it uses Accessibility, it bypasses end-to-end encryption completely.

The malware also includes a hidden “black overlay” mode. Attackers can control the device while the user only sees a fake screen, such as a fake “Android System Update.” During this time, attackers can steal money, approve transactions, or install new apps without detection.

ThreatFabric says Sturnus is still being tested. However, its advanced features show that it could become a major threat very soon.

Android users are strongly advised to avoid downloading apps from outside the Play Store. Keep Google Play Protect enabled. Only grant Accessibility permissions when absolutely necessary.

Sturnus proves once again that Android malware is getting more advanced—and more dangerous.