Sturnus Android Malware Steals Banking Data and Encrypted Chats

The newly discovered Sturnus Android banking malware is a privately operated threat that combines classic overlay fraud with advanced accessibility abuse to capture banking credentials and read encrypted messaging app content. Identified by ThreatFabric, Sturnus abuses Android’s Accessibility Service to monitor screen content and keystrokes in apps such as WhatsApp, Telegram, and Signal, sidestepping end-to-end encryption by harvesting decrypted messages directly from the device display. Its capabilities align with MITRE ATT&CK T1059 (Command and Scripting Interpreter) for scriptable control, T1056 (Input Capture) for keylogging, and T1114 (Email and Messaging Collection) when targeting communications data. Sturnus is distributed through social-engineering campaigns that include phishing emails, smishing (malicious SMS) and dropper applications masquerading as legitimate APKs, requiring users to sideload the malware. Once installed, it requests Accessibility and Device Administrator rights, using those to deploy HTML overlay screens that perfectly mimic target banking apps and to implement a comprehensive keylogging pipeline. The malware can display a full-screen black overlay while it executes fraudulent transactions in the background, hide uninstallation attempts by intercepting user gestures in system settings, and remotely receive commands from its operators to perform actions on behalf of the victim. ThreatFabric’s analysis indicates Sturnus is in an early testing phase but already fully functional, with configuration data showing a focus on financial institutions across Southern and Central Europe. Beyond traditional credential theft, Sturnus’ ability to harvest content from encrypted messaging platforms poses a significant risk to organizations where Signal and Telegram are used for sensitive communications. Its communication with command-and-control infrastructure uses a mix of plaintext, RSA and AES-encrypted channels designed to blend into normal network patterns and resist reverse engineering, complicating detection by signature-based mobile security tools. Defenders should treat Sturnus as a high-priority emerging threat, particularly for financial services providers and enterprises with mobile-first workflows. Mitigation steps include enforcing mobile device management (MDM) policies that block sideloaded APKs, restricting Accessibility permissions to vetted apps only, and deploying mobile threat defense (MTD) solutions capable of detecting overlay behavior and abuse of Device Administrator privileges. Security teams should also update customer and employee awareness materials to highlight the dangers of installing apps from links in SMS or email and encourage verification of unexpected banking login prompts and overlays.