ThreatFabric researchers have reported the emergence of a new Android banking Trojan called Sturnus. Although the malware is still in development, it is already fully functional and significantly exceeds most modern Android Trojans in its capabilities.
Sturnus’s main feature is its ability to intercept messages from Signal, WhatsApp (owned by Meta, a company recognized as extremist and banned in Russia), and Telegram—after decryption. The Trojan gains access to all content displayed on the screen using system Accessibility features. This effectively bypasses end-to-end encryption and directly reads messages.
In addition to spying on instant messaging apps, Sturnus uses HTML overlays (fake windows) to steal banking data and supports full remote access to the device via a VNC session. According to ThreatFabric, the Trojan disguises itself as Google Chrome or Preemix Box. How it spreads is still unknown.
After installation, the malware connects to the command server, undergoes cryptographic registration and creates two secure communication channels:
- HTTPS – for sending commands and stolen data,
- AES-protected WebSocket – for VNC, real-time surveillance and smartphone control.
Having received Device Administrator rights, Sturnus can track password changes, lock the screen and prevent itself from being removed. Without manually revoking these privileges, it is virtually impossible to remove the Trojan—even via ADB.
When the user launches WhatsApp, Telegram, or Signal, Sturnus gains access to:
- message text,
- entered data,
- contact names,
- all real-time correspondence.
Essentially, this gives attackers the ability to read confidential chats, despite end-to-end encryption protection. VNC mode allows the remote operator to press buttons, enter text, scroll the screen, and navigate the phone’s interface. If necessary, it turns on a black “mask” to hide what is happening from the user. At this point, the following can be performed:
- operations in banking applications,
- MFA confirmation,
- changing system settings,
- installation of additional software,
- any other actions on behalf of the device owner.
Researchers also demonstrated a fake “Android update” window that Sturnus displays to hide its activity.
According to ThreatFabric, the distribution of the Trojan is currently limited, and is likely used in test campaigns. However, Sturnus is designed to scale, and its feature set is comparable to the most advanced Android threats.
