Pierluigi Paganini
November 20, 2025
Sturnus is a new Android banking trojan with full device-takeover abilities. It bypasses encrypted messaging by capturing on-screen content and can steal banking credentials, remotely control the device, and hide fraudulent actions from the user.
ThreatFabric analysis shows Sturnus malware is still under development or is currently operating in a limited testing phase. However, the malware already targets financial institutions across Southern and Central Europe, signaling preparation for a broader campaign. The malware is fully functional and surpasses established families in communication protocols and device support. Evidence indicates short, intermittent campaigns focusing on secure messaging apps like WhatsApp, Telegram, and Signal, with region-specific templates. Operators actively refine tools to capture sensitive communications, preparing for more coordinated, large-scale operations.
“Sturnus, in addition to banking applications, also monitors the foreground app and automatically activates its UI-tree collection whenever the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram.” reads the report published by ThreatFabric.
The malicious code mimics the erratic chatter of the Sturnus vulgaris, switching unpredictably between plaintext, RSA, and AES messages. It registers devices via HTTP POST, receives a UUID and RSA key, then generates a local AES-256 key, encrypts it with RSA, and stores it in Base64. After key exchange, it encrypts all messages with AES/CBC/PKCS5Padding, prepends a fresh IV, and wraps data in a custo
Sturnus steals data through two linked mechanisms: HTML overlays and accessibility‑based keylogging. It stores phishing templates for targeted banking apps and displays them via a WebView that captures all input and sends it to the C2. After exfiltration, it disables the used overlay to avoid detection. A full‑screen block overlay can hide its activity.
Its Accessibility Service logs text changes, clicks, focus shifts, and full UI‑tree updates, letting operators reconstruct user actions even when screen capture is blocked. These features also let the malware extract PINs and passwords to unlock the device.
“Because it relies on Accessibility Service logging rather than network interception, the malware can read everything that appears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in real time.” continues the report. “This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing messages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private conversations. “
Sturnus enables full remote control of infected devices using two complementary capture methods: real‑time screen mirroring through Android’s display‑capture framework and a fallback system that builds screenshots from Accessibility events when standard capture fails. A native library then manages the session through the VNC RFB protocol. The malware also sends a structured map of all on-screen elements, tracking clicks, text input, scrolling, and app launches without using images. This method uses less bandwidth, avoids screen-capture alerts, and works even on hidden or protected elements.
Sturnus strengthens persistence by securing Device Administrator rights, monitoring unlock events, blocking attempts to revoke privileges, and preventing removal. A large monitoring subsystem tracks system changes, connectivity, power states, SIM swaps, app installs, rooting signs, and developer settings. Sturnus profiles sensors, hardware, and networks to adapt its tactics, evade analysis, and keep long‑term control of the device.
“Sturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers with near-complete control over infected devices. The combination of overlay-based credential theft, message monitoring, extensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive environmental monitoring creates a dangerous threat to victims’ financial security and privacy.” concludes the report.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
Security / November 19, 2025
