Security researchers have identified a new Android banking trojan that does much more than steal banking credentials. It can also record encrypted messages and essentially enables complete control of infected devices.
ThreatFabric researchers are calling the new Android malware “Sturnus.”
“A key differentiator is its ability to bypass encrypted messaging,” the researchers said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”
“Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices,” they said. “The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims’ financial security and privacy.”
So far the malware has been configured for targeted attacks against financial institutions in Southern and Central Europe, suggesting that a broader campaign will follow.
“While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully functional, and in aspects such as its communication protocol and device support, it is more advanced than current and more established malware families,” they warned.
Android Malware Deploys Fake Login Screens
The trojan harvests banking credentials through “convincing fake login screens that replicate legitimate banking apps,” the researchers said.
The Android malware also offers attacks “extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge,” they warned.
The malware combines HTML overlays and keylogging to capture and exfiltrate user credentials and sensitive data. The overlay engine maintains a repository of phishing templates under /data/user/0/<malware_package>/files/overlays/, where each HTML file corresponds to a specific banking application. When an overlay is triggered, the malware launches a WebView configured with JavaScript, DOM storage, and a JavaScript bridge to intercept and forward any data the victim enters directly to the command and control (C2) server.
The malware also includes a full-screen “block overlay” that lets attackers hide their activities from victims by displaying a full-screen black overlay that blocks visual feedback while the malware operates in the background.
Beyond basic keystroke logging, the malware continuously monitors the device’s UI tree and sends structured logs that describe what is displayed on screen, which lets attackers reconstruct user activity even when screen capture is blocked or when network conditions prevent live video transmission. “Together, these mechanisms give the operator a detailed, real-time picture of the victim’s actions while providing multiple redundant paths for data theft,” the researchers said.
Capturing Encrypted Messages
Sturnus also monitors the foreground app and automatically activates its UI tree collection when the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram.
“Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time,” the researchers said. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations.”
The ThreatFabric report also contained two SHA-256 hashes, the second of which is currently detected by 23 of 67 security vendors on VirusTotal:
045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5
0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d
