A new and highly sophisticated Android banking trojan, identified as Sturnus, has surfaced with the alarming ability to bypass encrypted messaging apps—including WhatsApp, Telegram, and Signal—and steal users’ banking information. Security researchers at ThreatFabric have sounded the alarm, noting that although the malware is still in its testing stage, it already demonstrates capabilities more advanced than many long-established malware families.
According to the researchers, Sturnus is being actively configured to target financial institutions across regions in Southern and Central Europe, indicating that a large-scale campaign may soon follow. Its communication framework and device compatibility show a level of refinement uncommon in newly discovered malware strains, raising concerns about the scale of attacks it could support once fully operational.
The malware gets its name from Sturnus vulgaris, the European Starling, a bird known for its fast, unpredictable vocal patterns. Researchers drew this comparison because Sturnus employs a communication protocol that shifts irregularly between simple and complex message formats. This rapid and unpredictable switching mirrors the chaotic chatter of the bird, making the malware difficult to analyze and track.
What makes Sturnus particularly dangerous is its ability to extract content from end-to-end encrypted messaging apps. Crucially, it does not break or compromise the encryption itself. Instead, it abuses Android’s Accessibility Services—a system feature designed to assist users with disabilities. By exploiting this access, Sturnus can read messages directly from the device screen after the app decrypts them. As the researchers explain, Sturnus “monitors the foreground app and automatically activates its UI-tree collection whenever the victim opens encrypted messaging services such as WhatsApp, Signal or Telegram.”
Through this method, Sturnus can observe real-time incoming and outgoing chats, view conversation histories, and access contact lists. This gives attackers unprecedented visibility into personal and financial communications, greatly increasing the risk of credential theft, phishing, and social engineering.
To infiltrate devices, Sturnus disguises itself as legitimate applications such as “Google Chrome” or “Preemix Box,” luring users into downloading what appears to be trusted software. Once installed, it quietly gains accessibility permissions and begins harvesting sensitive information.
With Sturnus now emerging as a potent new threat, researchers warn that Android users should be vigilant about app permissions, avoid sideloading applications, and monitor unusual behavior on their devices—before this evolving malware reaches its full attack potential.
