top of page
Search

A New Android Banking Trojan Is Quietly Perfecting Full-Device Takeovers

A newly uncovered Android banking trojan is giving security researchers an uncomfortable sense of déjà vu — but with several twists that signal where mobile malware is headed next. The malware, dubbed Sturnus, doesn’t just steal banking credentials. It learns. It adapts. And it leverages the same encrypted-app ecosystem people trust to protect their most sensitive conversations.


Researchers at ThreatFabric say Sturnus is still in its early evaluation phase, but its technical depth is already on par with more mature criminal toolkits. And its targets — banks across Southern and Central Europe — suggest the operators behind it are refining the malware before a much wider rollout.


A Trojan That Watches Everything — Even Encrypted Chats


What sets Sturnus apart is its ability to sidestep encrypted messaging entirely, not by breaking it, but by watching what appears on the victim’s screen after decryption.


“A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”

This isn’t packet sniffing. It’s not intercepting messages in transit. It’s visibility at the glass-level — and it’s exactly the kind of capability that could ripple far beyond banking fraud.


Sturnus also abuses Android’s accessibility services to harvest keystrokes, map the UI, and remotely perform actions on behalf of the operator. These hooks enable a kind of hands-on-keyboard experience for attackers, including real-time VNC sessions that make the compromised phone behave like a remotely controlled workstation.


Fake Screens, Fake Updates, and Real Damage


Like many modern banking trojans, Sturnus deploys overlay attacks — fake login screens layered atop legitimate banking apps. But the malware takes pains not to overplay its hand. Once credentials for a specific bank are captured, the overlay is automatically retired to avoid tipping off the victim.


It gets worse. When attackers need uninterrupted access, Sturnus can display a full-screen fake “system update” screen that blocks all feedback while malicious activity happens silently in the background. And if users try to reach the settings panel to revoke admin rights, the malware detects it and force-navigates them away.


The operator, meanwhile, receives a detailed stream of device intel: hardware specs, installed apps, network environment, sensor data, and a constant screen-state feed that allows remote reconstruction of the UI.


Sturnus even bundles two different remote-control pipelines — one built on accessibility automation and another built on Android’s display-capture APIs — giving attackers resilience if one channel is disrupted.


A Starling-Inspired Malware With an Eerie Communication Pattern


The trojan’s name references the European starling, Sturnus vulgaris, known for layering together complex patterns of whistles. The malware reflects that design, blending plaintext, AES, and RSA to create a shifting communication style that’s harder to fingerprint.


That mixed signaling matters, says Aditya Sood, VP of Security Engineering and AI Strategy at Aryaka.


“Sturnus poses a different kind of threat compared to other Android malware due to its ability to use a mix of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to. The combination of these three allows Sturnus to blend more easily into normal network patterns, while also hiding commands and stolen data from defense systems. This advanced level of evasion and resilience from the malware disrupts signature-based detection and can impede reverse-engineering efforts, making it harder to inspect Sturnus’ network traffic or recover the contents that it steals.

He warns that while Sturnus is currently tuned for banking fraud, its capabilities stretch much further.


“As a banking trojan, Sturnus is primarily targeting financial organizations. However, the ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organizations, as those applications are used across several industries to secure sensitive or confidential information. Individuals who are at-risk, or who are in control of sensitive information, must avoid downloading APK files from outside Google Play, and should continuously monitor for malicious activity if infection is suspected.”

A Small-Scale Operation — For Now


Despite its sophistication, Sturnus hasn’t spread widely yet. ThreatFabric says the malware’s distribution artifacts — such as rogue Chrome impostors (“com.klivkfbky.izaybebnx”) and apps masquerading as Preemix Box — point to small-scale, targeted deployments.


Privately operated malware is often the prelude to commercialized cybercrime tooling. Once an attacker group validates its reliability, features like VNC-grade control, encrypted-chat capture, and adaptive overlays often end up in broader malware-as-a-service kits.


And Sturnus, with its environment modeling and evasive communication, looks engineered for that trajectory.


The Coming Wave of Mobile Fraud Automation


The mobile banking threat landscape has been steadily consolidating around a handful of “big family” trojans — Octo, Cerberus offshoots, Hydra, Nexus. But Sturnus hints at the next evolutionary step: full device simulation, not just credential theft.


If attackers can read your encrypted messages, click your buttons, navigate your settings, and mirror your screen, then the line between malware and remote operator blurs almost completely.


Right now, Sturnus is just testing the waters. But its capabilities suggest a looming wave of mobile fraud tools that operate with the precision of human attackers — and the scalability of malware.

bottom of page