New Sturnus Android Trojan Bypasses Signal/WhatsApp Encryption, Seizes Full Control
Cybersecurity experts have detailed a newly identified Android banking trojan called Sturnus, engineered to steal credentials and seize full control of a device—granting attackers the ability to conduct financial fraud with virtually no involvement from the victim.
One of Sturnus’s most striking capabilities, highlighted by researchers at ThreatFabric, is its ability to bypass protections in encrypted messengers. The malware does not attempt to break encryption protocols; instead, it simply captures the screen after messages have been decrypted, allowing it to monitor conversations in WhatsApp, Telegram, and Signal.
The trojan also supports traditional overlay attacks, in which a counterfeit login form is displayed on top of a legitimate banking application. Victims enter their username and password believing they are signing in to their bank, while the credentials are immediately transmitted to the operators. According to the Dutch firm ThreatFabric, Sturnus is currently distributed privately and remains in an evaluation phase. Identified samples masquerade as Google Chrome, using the package name “com.klivkfbky.izaybebnx,” and as Preemix Box, using “com.uvxuthoq.noscjahae.” The malware targets banks in Southern and Central Europe and employs region-specific fake screens.
The name Sturnus is no coincidence. Researchers link it to the malware’s communication methods with its command-and-control servers, which combine plaintext with AES and RSA encryption—reminiscent of the European starling Sturnus vulgaris, famous for its varied whistles and mimicry.
Upon execution, the trojan connects to a remote server via WebSocket and HTTP channels, registers the device, and receives encrypted commands and additional modules. A dedicated WebSocket channel enables real-time remote interaction during VNC sessions, effectively allowing operators to use the phone as though it were in their hands.
To track user activity, Sturnus extensively abuses Android’s Accessibility Services. It can silently record keystrokes, log UI interactions, and deploy phishing overlays tailored to specific banks. Once the victim enters credentials into a counterfeit form, the overlay for that bank deactivates to avoid arousing suspicion.
Another technique employed by Sturnus involves full-screen interface hijacking. The trojan can display a screen mimicking an Android system update, completely blocking visual feedback. During this time, the victim believes an update is underway while the malware may be transferring funds or configuring remote access in the background.
Its feature set extends further. The malware can monitor device activity, extract chat content from Signal, Telegram, and WhatsApp when those apps are opened, and upload detailed descriptions of all visible UI elements. This allows operators to reconstruct the device’s layout remotely and control it with precision—pressing buttons, typing text, scrolling lists, launching apps, confirming permissions, or activating a black screen mode.
Sturnus also includes an alternative remote-control mechanism using Android’s system-level screen-capture framework to stream the display in real time. This pushes the experience closer to a full interactive session, where the attacker sees exactly what the device owner sees.
Researchers emphasize Sturnus’s robust defenses against removal. When a user attempts to navigate to settings to revoke device-administrator privileges, the trojan—through Accessibility monitoring—detects the attempt, locates the relevant controls, and automatically diverts the user to another page. Unless these privileges are manually revoked, removing the malware by ordinary means—or even via ADB—is exceptionally difficult.
Beyond direct control, Sturnus continuously gathers extensive environmental data. It collects sensor information, network status, hardware details, and a list of installed applications. This device profile acts as a persistent feedback channel that helps operators tailor their actions, evade detection, and refine their attacks.
According to ThreatFabric, Sturnus’s current distribution remains limited. However, its narrow geographic focus and its meticulous tailoring to regional banking applications suggest that its authors are refining their toolset in preparation for broader or more coordinated attack campaigns.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
