A new Android banking trojan named Sturnus is rendering app-level encryption protections ineffective by compromising the device itself. Discovered and analyzed by cybersecurity firm ThreatFabric, the malware is capable of recording on-screen content shared through secure apps like WhatsApp, Signal, and Telegram—giving attackers access to messages without needing to break encryption protocols.
Alongside its ability to capture communication from encrypted messaging platforms, Sturnus enables full remote control of compromised devices, allowing attackers to steal credentials, initiate fraudulent transfers, and perform unauthorized actions unnoticed by the user.
Sturnus Bypasses Encryption by Capturing the Device Screen
Although end-to-end encryption (E2EE) protects messages in transit, it cannot defend against attacks launched from within the device itself. Sturnus hinges on this loophole by targeting Android Accessibility APIs, which allow it to monitor and interact with the user interface directly. This method transforms the trojan into a potent spyware tool.
Android Accessibility Abuse Grants Full Control
Accessibility services are typically designed to assist users with disabilities, but have long been a favorite vector for malware due to their broad permissions. Sturnus takes advantage of these capabilities to:
- Intercept and automate screen navigation
- Read on-screen content, even in apps using strong encryption
- Capture credentials by overlaying phishing prompts on trusted banking interfaces
- Automate taps and swipes to hijack app sessions
Once control is established, attackers can conduct operations as though they are the legitimate user. This includes viewing two-factor authentication (2FA) codes, confirming transactions, and interacting with sensitive applications under the hood.
Secure Messaging Apps Are No Match for On-Screen Spying
Apps like WhatsApp, Telegram, and Signal deploy end-to-end encryption to keep messages private between sender and recipient. However, when threat actors can watch those messages being read directly from the screen via malware like Sturnus, encryption becomes irrelevant. Sturnus sidesteps cryptographic defenses by operating outside of proper cryptographic channels.
“Instead of breaking encryption, the malware observes communication post-decryption—while the user reads it on their screen,” said researchers.
This bypass means attackers can steal chat content, intercept private photos, and track conversations discreetly, granting insight into both personal and financial interactions.
Banking Credentials and Transactions Are Targeted Through UI Manipulation
Though Sturnus monitors messaging apps, its core design remains centered on financial fraud. The malware includes features standard to modern banking trojans, especially Account Takeover (ATO) techniques.
Automatic Fraud Execution and Anti-Detection Capabilities
According to ThreatFabric, Sturnus can automate fraudulent transactions through the following:
- Manipulating user interface elements to initiate transfers
- Automatically entering stolen credentials
- Hiding signs of fraud from the user through UI overlays
These techniques allow transactions to be carried out silently in the background without alerting the victim. In addition, Sturnus uses evasion methods that help it avoid detection by traditional mobile antivirus solutions.
Among the most dangerous capabilities noted:
- Real-time screen sharing with attackers
- Keylogging via virtual keyboard overlays
- Dynamic command-and-control (C2) communication to fetch new modules or behavior patterns
Malware Distribution and Future Risk Surface Remain Unclear
ThreatFabric has not disclosed specific distribution vectors for Sturnus , but delivery methods for Android banking trojans commonly include trojanized apps, social engineering, and phishing via SMS (smishing). The malware likely masquerades as legitimate software or is side-loaded onto devices through deceptive links.
With its ability to both spy on encrypted apps and initiate financial fraud, Sturnus represents a convergence of surveillance-based and financially motivated cybercrime.
Implications for End Users and Security Professionals
Sturnus raises fundamental questions about the assumptions of privacy on mobile devices. It highlights a key limitation inherent in relying solely on app-level encryption without securing the operating system or device environment.
For cybersecurity professionals, the emergence of Sturnus demonstrates the need for:
- Improved Android permission models limiting Accessibility API abuse
- Enhanced detection capabilities around on-screen behavior and overlay attacks
- Greater user awareness of the risks posed by non-Play Store app installations
At the user level, avoiding side-loaded apps, limiting permissions to only trusted software, and regularly reviewing accessibility settings can reduce the likelihood of infection.
Device Integrity Is Now as Important as Encryption
While cryptographic protections like end-to-end encryption remain essential, malware like Sturnus shows they are not sufficient in the presence of compromised endpoints. As espionage-focused and financial malware continue to merge, defending against mobile threats will require comprehensive visibility into user interaction layers—not just communication data.
The rise of Sturnus marks a turning point in Android malware evolution—where full device control and anti-forensics capabilities meet privacy-busting surveillance. Security measures must evolve accordingly.
