The new Sturnus Android Trojan discreetly records encrypted conversations and takes control of devices.

Cybersecurity researchers have revealed a new Android banking trojan named Sturnus, which facilitates credential theft and complete device takeover for financial fraud. A significant feature of Sturnus is its ability to bypass encrypted messaging services. According to ThreatFabric, the trojan captures content directly from the device screen after decryption, enabling it to monitor communications on platforms such as WhatsApp, Telegram, and Signal. Additionally, Sturnus can execute overlay attacks by displaying fake login screens over banking applications to harvest victims’ credentials. The malware is currently assessed to be in the evaluation stage and is specifically targeting financial institutions in Southern and Central Europe with region-specific overlays.

The name Sturnus is inspired by its mixed communication pattern, which combines plaintext, AES, and RSA encryption, akin to the vocal mimicry of the European Starling (Sturnus vulgaris). Once activated, the trojan connects to a remote server via WebSocket and HTTP channels to register the device and receive encrypted payloads. It also establishes a WebSocket channel for threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions. Beyond serving fake overlays, Sturnus exploits Android’s accessibility services to capture keystrokes and record user interface interactions. It can even display a full-screen overlay that mimics an Android operating system update, misleading users while executing malicious actions in the background.