New Sturnus Android Banking Trojan Can Bypass WhatsApp and Signal to Steal Banking Credentials
A dangerous new Android banking trojan named Sturnus has entered the cybercrime landscape, and security experts warn it could soon pose a major threat. Identified by researchers at ThreatFabric, the Sturnus malware is still being tested—but even in this early stage, it shows the capability to bypass encrypted messaging apps like WhatsApp, Telegram, and Signal to steal banking credentials. Its advanced design and broad device support suggest that this emerging Android malware threat is being prepared for a large-scale campaign across Southern and Central Europe.
The unusual name “Sturnus,” inspired by the European Starling (Sturnus vulgaris), reflects how the Android banking trojan communicates. Just like the bird’s unpredictable vocal patterns, the malware switches randomly between simple and complex communication messages. This makes the Sturnus malware harder to detect, further fueling fears about its growing ability to steal banking credentials while bypassing protections in encrypted messaging apps.
One of the most alarming aspects of this Android malware threat is how it bypasses apps like WhatsApp, Signal, and Telegram. Instead of breaking encryption, the Sturnus malware abuses Android Accessibility Services, reading messages directly from the phone screen after they are decrypted. This clever technique lets the Android banking trojan monitor conversations, contact lists, and full message threads in real time, giving attackers direct visibility into private communications.
According to researchers, Sturnus automatically activates its UI-tree collection whenever the user opens encrypted messaging apps. This means the Sturnus malware constantly watches for opportunities to steal sensitive information and potentially harvest banking credentials from conversations or notifications. To slip past users’ suspicions, the malware disguises itself as trusted apps like “Google Chrome” or “Preemix Box,” a common but highly effective trick used by Android malware threats.
Once installed, Sturnus focuses on stealing money through two advanced fraud techniques. The first involves displaying fake banking login screens over legitimate banking apps. When victims enter their information, they unknowingly give their banking credentials directly to the attackers. This approach is widely used by many Android banking trojans, but the Sturnus malware executes it with far more precision.
The second technique, known as the Black Screen attack, is even more deceptive. When activated, this Android malware threat forces the device’s screen to go completely black, making the user believe the phone is off. In reality, attackers remotely control the device, performing unauthorized transactions and draining funds—all while the victim remains unaware.
What makes Sturnus particularly dangerous is its ability to resist removal. By using device Administrator privileges, the Android banking trojan blocks uninstallation attempts and monitors the device’s battery, sensors, and network activity. This environmental awareness allows the Sturnus malware to detect when security researchers are analyzing it. If it senses scrutiny, it may hide or pause operations to avoid detection, strengthening its position as a persistent Android malware threat.
If a user tries to uninstall the fake app or revoke its permissions, Sturnus responds instantly. It automatically clicks “back” or shuts the settings window, preventing removal. This level of control shows how strongly the Android banking trojan prioritizes protecting itself to continue harvesting information like banking credentials and messaging data.
Researchers warn that Sturnus maintains “extensive situational awareness,” enabling long-term resilience on infected devices. This adaptability reinforces the idea that the Sturnus malware is far more advanced than many existing Android malware threats, especially given its specialized communication protocol and ability to target popular encrypted messaging apps without breaking encryption.
The malware’s focus on financial institutions across Southern and Central Europe suggests a deliberate and strategic expansion. Cybercriminals behind this Android banking trojan appear to be setting the stage for a widespread campaign aimed at financial fraud . Their tactics highlight how attackers continue to misuse Android Accessibility Services to access highly sensitive data, from personal chats to banking credentials.
Deceptive installation methods, such as mimicking legitimate apps, combined with its dual fraud techniques—the fake login screens and the “Black Screen” attack—show that the Sturnus malware is built for maximum exploitation. Its self-protection measures, including anti-uninstallation defenses and the ability to hide from analysis, confirm that this is an especially sophisticated Android malware threat.
By comparing its behavior to the European Starling’s unpredictable vocal patterns, researchers emphasize how difficult the Android banking trojan may be to detect. This unpredictability could help Sturnus evade automated security systems, making its presence even more concerning as it evolves during its testing phase. With the potential for expanded targeting and enhanced features, the Sturnus malware could become an even greater threat in the near future.
Overall, the rise of Sturnus underscores just how important vigilance and strong security practices are for Android users today. As this dangerous Android banking trojan grows more capable of stealing banking credentials and bypassing encrypted messaging protections, users must stay alert, avoid suspicious downloads, and regularly review device permissions to defend against this evolving Android malware threat.
The unusual name “Sturnus,” inspired by the European Starling (Sturnus vulgaris), reflects how the Android banking trojan communicates. Just like the bird’s unpredictable vocal patterns, the malware switches randomly between simple and complex communication messages. This makes the Sturnus malware harder to detect, further fueling fears about its growing ability to steal banking credentials while bypassing protections in encrypted messaging apps.
One of the most alarming aspects of this Android malware threat is how it bypasses apps like WhatsApp, Signal, and Telegram. Instead of breaking encryption, the Sturnus malware abuses Android Accessibility Services, reading messages directly from the phone screen after they are decrypted. This clever technique lets the Android banking trojan monitor conversations, contact lists, and full message threads in real time, giving attackers direct visibility into private communications.
According to researchers, Sturnus automatically activates its UI-tree collection whenever the user opens encrypted messaging apps. This means the Sturnus malware constantly watches for opportunities to steal sensitive information and potentially harvest banking credentials from conversations or notifications. To slip past users’ suspicions, the malware disguises itself as trusted apps like “Google Chrome” or “Preemix Box,” a common but highly effective trick used by Android malware threats.
Once installed, Sturnus focuses on stealing money through two advanced fraud techniques. The first involves displaying fake banking login screens over legitimate banking apps. When victims enter their information, they unknowingly give their banking credentials directly to the attackers. This approach is widely used by many Android banking trojans, but the Sturnus malware executes it with far more precision.
You may also like
- Dubai Ruler Sheikh Mohammed introduces law on lost and abandoned property with fines up to AED 200,000
- NHRC seeks Railways' response on 'halal-only' meat complaint
- "No one anticipated such outcome": Congress' Akhilesh Singh on party's debacle in Bihar polls
- Actress gave up career for marriage, lost everything in just 5 years: Family members died and then sudden zero-alimony divorce
- Indian envoy discusses bilateral economic engagement agenda with US Under Secretary
The second technique, known as the Black Screen attack, is even more deceptive. When activated, this Android malware threat forces the device’s screen to go completely black, making the user believe the phone is off. In reality, attackers remotely control the device, performing unauthorized transactions and draining funds—all while the victim remains unaware.
What makes Sturnus particularly dangerous is its ability to resist removal. By using device Administrator privileges, the Android banking trojan blocks uninstallation attempts and monitors the device’s battery, sensors, and network activity. This environmental awareness allows the Sturnus malware to detect when security researchers are analyzing it. If it senses scrutiny, it may hide or pause operations to avoid detection, strengthening its position as a persistent Android malware threat.
If a user tries to uninstall the fake app or revoke its permissions, Sturnus responds instantly. It automatically clicks “back” or shuts the settings window, preventing removal. This level of control shows how strongly the Android banking trojan prioritizes protecting itself to continue harvesting information like banking credentials and messaging data.
Researchers warn that Sturnus maintains “extensive situational awareness,” enabling long-term resilience on infected devices. This adaptability reinforces the idea that the Sturnus malware is far more advanced than many existing Android malware threats, especially given its specialized communication protocol and ability to target popular encrypted messaging apps without breaking encryption.
The malware’s focus on financial institutions across Southern and Central Europe suggests a deliberate and strategic expansion. Cybercriminals behind this Android banking trojan appear to be setting the stage for a widespread campaign aimed at financial fraud . Their tactics highlight how attackers continue to misuse Android Accessibility Services to access highly sensitive data, from personal chats to banking credentials.
Deceptive installation methods, such as mimicking legitimate apps, combined with its dual fraud techniques—the fake login screens and the “Black Screen” attack—show that the Sturnus malware is built for maximum exploitation. Its self-protection measures, including anti-uninstallation defenses and the ability to hide from analysis, confirm that this is an especially sophisticated Android malware threat.
By comparing its behavior to the European Starling’s unpredictable vocal patterns, researchers emphasize how difficult the Android banking trojan may be to detect. This unpredictability could help Sturnus evade automated security systems, making its presence even more concerning as it evolves during its testing phase. With the potential for expanded targeting and enhanced features, the Sturnus malware could become an even greater threat in the near future.
Overall, the rise of Sturnus underscores just how important vigilance and strong security practices are for Android users today. As this dangerous Android banking trojan grows more capable of stealing banking credentials and bypassing encrypted messaging protections, users must stay alert, avoid suspicious downloads, and regularly review device permissions to defend against this evolving Android malware threat.
More from our partners
Loving Newspoint? Download the app now
