New android trojan raises mobile security alarm: Meet Sturnus — a malware designed to steal credentials, take control of devices, and bypass virtually any detection system.
What’s most concerning is its ability to spy on messaging apps considered secure, such as WhatsApp, Telegram, and Signal, capturing on-screen content even when it's protected by encryption.
At TecnetOne, we closely monitor these types of threats because they pose an increasing risk to both individuals and companies that rely on mobile devices daily. That’s why, in this article, we explain what Sturnus is, how it works, why it’s so dangerous, and how you can protect yourself.
Sturnus is a banking trojan for Android designed to steal financial credentials, control devices, and spy on private communications. It's a modern piece of malware that combines advanced techniques such as:
Fake overlays to steal banking passwords.
Reading on-screen content, even in encrypted apps.
Real-time or reconstructed screenshots via accessibility events.
Continuous monitoring of the system and user apps.
Encrypted communication with command servers to avoid detection.
What makes it especially dangerous is its ability to access information protected by end-to-end encryption, exploiting the weakest link in any secure app: the user’s device.
Recent analyses suggest that Sturnus is still under development or in a limited testing phase. Still, the trojan has already begun targeting financial institutions in Southern and Central Europe — a sign that its operators are preparing for a broader campaign.
What’s alarming is that even in this “early” state, the malware is fully functional and already outperforms many established trojan families, particularly in terms of communication protocols, evasion techniques, and compatibility with various device models.
Activity observed so far shows short, sporadic campaigns focused primarily on secure messaging apps like WhatsApp, Telegram, and Signal, using attack templates tailored to each region.
Everything indicates that the operators are fine-tuning their tools to capture conversations and sensitive data, setting the stage for more organized, large-scale operations.
One striking detail is that Sturnus doesn’t just target banking apps: it constantly monitors which app the user is running and automatically activates interface tree collection when it detects that the victim has opened WhatsApp, Signal, or Telegram.
This allows it to view the content displayed on screen and extract private information without needing to break any encryption.
Sturnus’s code is designed to behave as unpredictably as the bird it’s named after. It blends various types of communication (plaintext, RSA, and AES) to hinder analysis and remain hidden.
When it infects a device, it registers by sending an HTTP request, receives a unique identifier and an RSA key, then generates its own AES-256 key and encrypts it before storing it. From that point on, all traffic is encrypted with AES and encapsulated to prevent tracking.
As for data theft, Sturnus combines two highly effective methods: overlay screens and an accessibility-based keylogger. The malware includes phishing templates tailored for specific banking apps and displays them as if they were legitimate screens.
The user enters their credentials without suspecting that everything is being sent to the attacker’s server. Once the credentials are captured, the overlay disappears to avoid detection and can even display a full lock screen to hide its activity.
One of the Trojan’s strongest features is its use of Android’s Accessibility Service. Sturnus logs text, clicks, scrolling, and complete interface changes, allowing it to reconstruct every user action—even when screenshot capturing is disabled. Thanks to this, it can obtain PINs, passwords, and any data entered on the device.
And here’s the most critical part: because it doesn’t intercept network traffic but instead captures what’s displayed on screen, Sturnus can read full conversations in real time, including contacts, incoming and outgoing messages, and private content. This allows it to completely bypass end-to-end encryption by accessing messages after they’re decrypted by the app itself.
Beyond data theft, the Trojan offers attackers near-total remote control over the device. It can mirror the screen in real time or, if that fails, generate screen captures based on accessibility events.
It also uses a VNC-like protocol to manage the session, allowing operators to interact with the phone remotely. It even sends a structured map of all screen elements, which reduces data usage and avoids alerts typically triggered by screenshots.
To remain active, Sturnus protects its admin permissions, blocks revocation attempts, and monitors everything happening on the system—SIM card changes, battery status, newly installed apps, rooting attempts, developer settings, and more. It also analyzes sensors, hardware, and network conditions to adapt its behavior and avoid detection while maintaining long-term control.
In short, Sturnus is not just another Trojan—it's a sophisticated, all-in-one threat designed to steal credentials, spy on messages, capture keystrokes, mirror the screen, enable remote control, and monitor every corner of the device. The combination of all these techniques makes it a serious risk to any infected user’s privacy and financial security.
Read more: Maverick: The WhatsApp Banking Trojan Linked to Coyote Malware
The best defense against Sturnus is a combination of safe habits and protective measures—both personal and enterprise-level. On an individual level, it’s crucial to install apps only from official stores, avoid unnecessary permissions (especially accessibility, device admin, and screen overlay), and keep Android always up to date.
Enabling Google Play Protect or using a reliable antivirus also helps, along with being cautious of suspicious SMS messages and using two-factor authentication to reduce risks even if a password is compromised. Paying attention to your phone’s performance (battery life, data usage, or unfamiliar apps) can also signal a possible infection.
At the enterprise level, having clear mobile security policies is essential, especially in BYOD environments. MDM or MAM solutions can help control permissions, restrict installations, and detect abnormal behavior. Adopting a Zero Trust approach and training staff can prevent simple attacks (like a fake app or phishing SMS) from compromising critical data.
In addition, relying on XDR or EDR technologies is key: platforms like TecnetOne’s managed XDR solutions allow real-time detection and response to suspicious activity on endpoints and mobile devices, including advanced threats like Sturnus. Finally, having a mobile incident response plan ensures that, in case of a breach, the device can be isolated, analyzed, and safely cleaned.
If you want to strengthen your company’s mobile security or need an assessment, contact us—we’ll be happy to help.