New Android Malware ‘Sturnus’ Can Steal Banking Logins And Read Encrypted Chats, Researchers Warn

Security researchers have expressed alarm about a newly discovered Android malware, known as Sturnus, which not only can steal banking credentials but also can infiltrate users' devices more deeply than previously anticipated. Sturnus operates like an advanced Android banking Trojan, mimicking bank app login screens while monitoring real-time activity on user devices as well as accessing end-to-end encrypted messages on platforms like WhatsApp, Telegram and Signal.

Sturnus appears to be targeting users in Southern and Central Europe at present, although researchers warn it could change quickly. Google has yet to issue a security patch against the vulnerability used by Sturnus.

ALSO READ: Perplexity Launches A New AI Shopping Experience With Personalised Recommendations

A fake login page that looks real

ThreatFabric's report notes that the MTI security firm found Sturnus can create fake login pages of banking apps installed on phones, so when users unknowingly enter their credentials into these applications, Sturnus captures and sends them off to its attacker.

Once inside a system, malware can provide remote access for an attacker and allow them to monitor everything happening on it – including taps and swipes across apps and any activity taking place within them.

Remote control, screen blackout and silent transactions

Sturnus goes beyond mere observation: attackers can exploit it to control, remotely operate and even fully blackout their phone's display screen.

Once the screen has been cleared away, however, the device still responds to inputs -- meaning an attacker could move money, approve transfers or change account settings invisibly while users believe their phone has simply frozen up.

How it bypasses encrypted chats

Researchers are most concerned with how Sturnus handles end-to-end encrypted messaging apps like WhatsApp, Telegram and Signal. Instead of attempting to break encryption itself, it waits until a conversation starts between two parties and then captures what it decrypts on-screen via screen access – thus giving it access to WhatsApp, Telegram and Signal chats without needing encryption keys.

Early stages, but growing risk

MTI Security believes Sturnus is still in active development. Only a small number of victims have been identified so far, mostly through short and targeted attack bursts. But the scope could expand rapidly once the malware matures.

ALSO READ: Samsung Announces Black Friday Celebration Deals On Its Vision AI TV Lineup In India

Researchers warn that a wider, more aggressive campaign is likely if the developers continue sharpening its capabilities.

What Android users should do now

While Google hasn’t issued a patch yet, users can reduce risk by avoiding APKs from unknown sources, keeping Play Protect enabled, and reviewing accessibility permissions regularly — since banking trojans often rely on them.

Sturnus is still new, but its skillset is worrying. If the attackers scale it up, it could become one of the most dangerous Android banking threats in years.