A newly identified Android banking trojan, Sturnus, has entered the cybercrime ecosystem with a level of sophistication that security researchers are calling “a turning point for mobile fraud operations.”
According to ThreatFabric’s analysis, the malware is currently in a pre-deployment stage but already fully capable of bypassing encrypted messaging protections, taking over devices, and conducting stealthy financial fraud.
Its most alarming capability?
Sturnus reads WhatsApp, Telegram, and Signal messages even though they are end-to-end encrypted.
Not by breaking encryption, but by capturing the content directly from the screen after decryption, using advanced Accessibility abuse and UI-tree monitoring.
This is not a theoretical threat. It is real, operational, and – if fully deployed – could reshape the mobile threat landscape for years to come.
A Banking Trojan Evolving Into a Full Device-Takeover Platform
Unlike many financially motivated malware families, Sturnus isn’t limited to credential harvesting. It offers criminals a complete remote operations environment, giving attackers:
- Full device takeover
- Real-time screen streaming
- Accessibility-based screenshots
- Remote text injection
- Automated clicks and gestures
- Device admin abuse to prevent removal
- Real-time environment monitoring
In practice, this means a threat actor can black out the victim’s screen, take full control of the device, conduct fraudulent transactions, delete traces, and restore the screen without the victim ever knowing.
For enterprises, banks, and telecom operators, this level of stealth presents a formidable challenge.
How Sturnus Steals Banking Credentials
The malware combines two techniques often seen separately:
1. HTML Overlays – Fake Login Screens
Sturnus stores a library of phishing templates that mirror legitimate banking apps. When triggered, these overlays appear exactly like the real interface, capturing credentials instantly.
2. Accessibility-Based Keylogging
It monitors everything the user types, every field change, every focus shift, and every UI update including protected app screens.
Combined, these techniques allow it to harvest:
- Online banking credentials
- Payment app logins
- SMS OTPs
- Two-factor authentication codes
- Device unlock PINs and passwords
This gives attackers the power to execute fraudulent transactions with high success and minimal detection.
Breaking Through the Illusion of Secure Messaging
Perhaps the most concerning discovery is Sturnus’s ability to flatly bypass encrypted messaging apps.
Not through cryptographic weakness, but through:
- UI-tree monitoring
- Accessibility logging
- Screen state extraction
This allows the malware to read in real time:
- Full chat histories
- Contact names
- Incoming messages
- Outgoing messages
- Attachments visible on screen
End-to-end encryption becomes irrelevant once the device itself is compromised.
For regions where secure messaging is widely used for business, finance, and government operations – such as the Middle East and Africa – this capability represents a major privacy and cyber-espionage risk.
Advanced C2 Architecture That Mimics a Songbird
Researchers named the malware “Sturnus” after Sturnus vulgaris, the starling, known for its chaotic and rapid vocal patterns.
The malware communicates in a similarly unpredictable way shifting between plaintext, RSA, and AES-encrypted messages.
It uses:
- WSS (WebSocket Secure) for real-time bot-like operations
- HTTP POST for device registration
- RSA-encrypted AES keys for secure sessions
- Custom binary protocols for command routing
This combination ensures strong persistence and makes the malware difficult to analyze, detect, or intercept.
Targets and Early-Stage Activity
At the moment, Sturnus campaigns appear:
- small,
- sporadic,
- geography-specific,
- and targeted primarily at Southern and Central Europe.
But this pattern aligns with the early testing phase of many high-profile malware families before they expand globally.
Given its modular design, strong remote-control capabilities, and focus on financial fraud, experts fear the MEA region – with its expanding digital payments ecosystem – could become a prime target as operations scale.
Why This Matters to MEA Readers
Although current activity is centered in Europe, the malware’s capabilities particularly encrypted messaging interception are highly concerning for MEA:
- GCC populations rely heavily on WhatsApp and Telegram for business transactions, banking notifications, and corporate communication.
- African markets are undergoing rapid fintech expansion, making mobile fraud a prime target.
- Many organizations in MEA lack strong mobile-endpoint security monitoring.
- Bring-Your-Own-Device (BYOD) usage is widespread across ministries, telecoms, banks, and enterprises.
In short: the combination of reliance on messaging apps + mobile banking + BYOD culture creates fertile ground for a threat like Sturnus.
Organizations can refer to mobile threat defense solutions and advisory services at Saintynet Cybersecurity to strengthen their resilience.
10 Security Actions to Mitigate Sturnus-Type Threats
Security teams should immediately reinforce mobile-security controls. Recommended actions:
- Deploy Mobile Threat Defense (MTD) across all corporate devices.
- Disable unnecessary Accessibility permissions and audit them regularly.
- Require strong mobile device management (MDM) for BYOD and corporate fleets.
- Implement anti-overlay protections in mobile apps, especially banking apps.
- Adopt behavioral anomaly detection for transactions and logins.
- Enable hardware-based biometrics instead of PIN-based unlock patterns.
- Provide mobile cybersecurity awareness training
- Audit apps for FLAG_SECURE enforcement to block screen capture.
- Enforce Zero Trust principles for all mobile-originated sessions (least privilege, continuous auth).
- Closely monitor emerging threats through cybersecurity intelligence platforms such as reports and alerts on cybercory.com.
Conclusion
Sturnus represents one of the most advanced mobile malware families seen in recent years capable of bypassing app-level protections, defeating encrypted messaging, and giving attackers near-total control of infected devices.
Today, its operations are limited.
Tomorrow, it could be global.
As the mobile ecosystem becomes central to both personal and professional life, the emergence of malware that can undermine banking apps and read “secure” messages marks a significant escalation.
Organizations in the Middle East, Africa, and worldwide must treat this new wave of mobile threats as a wake-up call – and strengthen their defenses before Sturnus moves beyond testing and into mass deployment.