OP 22 November, 2025 - 11:13 PM
Sturnus, an advanced Android banking trojan, has been discovered by ThreatFabric. Learn how this malware bypasses end-to-end encryption on Signal and WhatsApp, steals bank credentials using fake screens, and executes fraudulent transactions.
Cybersecurity researchers have discovered a new, highly dangerous Android banking malware called Sturnus, named after the common starling or ‘songbird’ because of its complex and ‘chaotic’ communication style.
The Dutch cybersecurity firm ThreatFabric identified this privately-operated threat, which has features that are simply far more advanced and dangerous than what we’ve seen before.
According to ThreatFabric’s blog post, published on November 20, 2025, Sturnus is far more advanced than previous malware, capable of stealing your bank details, able to view chat content on apps like WhatsApp, Telegram, and Signal by abusing Android’s Accessibility Service
How it Decodes Your ‘Encrypted’ Chats
Even though these apps use end-to-end encryption, which means only you and the person you’re chatting with can read the messages, Sturnus completely gets around this protection. It works by relying on the Android Accessibility Service to read the message content directly from the screen after the legitimate app has decrypted it. This means the attackers can see full conversations, contacts, and all incoming and outgoing messages in real time.
![[Image: New-Sturnus-Android-Malware-Defeats-What...ccount.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fhackread.com%2Fwp-content%2Fuploads%2F2025%2F11%2FNew-Sturnus-Android-Malware-Defeats-WhatsApp-Encryption-and-Hijacks-Your-Bank-Account.png)
A Fully Featured Threat
The malware is distributed through social engineering campaigns, including Phishing (email), Smishing (SMS text messages), or via a malicious Dropper application, which tricks users into installing the final malware as an unofficial APK file
Once Sturnus infects a phone, it uses two integrated methods to steal sensitive data: deploying fake login screens, known as HTML overlays, that perfectly mimic banking apps; and simultaneously employing a comprehensive keylogging pipeline via the Accessibility Service to record every keystroke and screen tap.
Further probing revealed that the malware gives the attackers extensive remote control. They can type, monitor all activity, and, most disturbingly, display a black screen overlay to hide their actions while it silently executes fraudulent transactions in the background. The malware even uses its keylogging ability to steal PINs and Passwords, making it easy to unlock the device itself.
![[Image: New-Sturnus-Android-Malware-Defeats-What...ount-1.png]](https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Fhackread.com%2Fwp-content%2Fuploads%2F2025%2F11%2FNew-Sturnus-Android-Malware-Defeats-WhatsApp-Encryption-and-Hijacks-Your-Bank-Account-1.png)
The Attack Status and Targets
It is worth noting that Sturnus is highly persistent. It gains special privileges on the phone, called Device Administrator rights, and actively protects them. If a user tries to disable these rights or uninstall the malware in settings, Sturnus detects the attempt and automatically stops the action. This defence makes it very difficult to get rid of it once installed.
Researchers assess that although this malware is not yet widespread and is currently in an early testing phase, it is already fully functional. Its configurations show an immediate focus on targeting financial institutions across Southern and Central Europe. This concentration on high-value apps and specific regions suggests the criminals are simply getting ready for a much larger, more coordinated global attack.
Source:
HackRead
https://hackread.com/sturnus-android-mal...nal-chats/
Cybersecurity researchers have discovered a new, highly dangerous Android banking malware called Sturnus, named after the common starling or ‘songbird’ because of its complex and ‘chaotic’ communication style.
The Dutch cybersecurity firm ThreatFabric identified this privately-operated threat, which has features that are simply far more advanced and dangerous than what we’ve seen before.
According to ThreatFabric’s blog post, published on November 20, 2025, Sturnus is far more advanced than previous malware, capable of stealing your bank details, able to view chat content on apps like WhatsApp, Telegram, and Signal by abusing Android’s Accessibility Service
How it Decodes Your ‘Encrypted’ Chats
Even though these apps use end-to-end encryption, which means only you and the person you’re chatting with can read the messages, Sturnus completely gets around this protection. It works by relying on the Android Accessibility Service to read the message content directly from the screen after the legitimate app has decrypted it. This means the attackers can see full conversations, contacts, and all incoming and outgoing messages in real time.
A Fully Featured Threat
The malware is distributed through social engineering campaigns, including Phishing (email), Smishing (SMS text messages), or via a malicious Dropper application, which tricks users into installing the final malware as an unofficial APK file
Once Sturnus infects a phone, it uses two integrated methods to steal sensitive data: deploying fake login screens, known as HTML overlays, that perfectly mimic banking apps; and simultaneously employing a comprehensive keylogging pipeline via the Accessibility Service to record every keystroke and screen tap.
Further probing revealed that the malware gives the attackers extensive remote control. They can type, monitor all activity, and, most disturbingly, display a black screen overlay to hide their actions while it silently executes fraudulent transactions in the background. The malware even uses its keylogging ability to steal PINs and Passwords, making it easy to unlock the device itself.
The Attack Status and Targets
It is worth noting that Sturnus is highly persistent. It gains special privileges on the phone, called Device Administrator rights, and actively protects them. If a user tries to disable these rights or uninstall the malware in settings, Sturnus detects the attempt and automatically stops the action. This defence makes it very difficult to get rid of it once installed.
Researchers assess that although this malware is not yet widespread and is currently in an early testing phase, it is already fully functional. Its configurations show an immediate focus on targeting financial institutions across Southern and Central Europe. This concentration on high-value apps and specific regions suggests the criminals are simply getting ready for a much larger, more coordinated global attack.
Source:
HackRead
https://hackread.com/sturnus-android-mal...nal-chats/