Sturnus is an Android banking trojan already showing advanced, multi-layered capabilities despite being new, and this article breaks down what it does, how it steals data from encrypted apps, and practical steps you can take to lock down your phone. You’ll get a clear look at overlays, accessibility abuse, remote control features and the permissions attackers exploit, along with prevention tips that actually make a difference. Read on to understand why this strain deserves attention and what to change on your device now.
This malware can hijack a phone display, snatch banking logins and capture chats from apps you trust by waiting for those apps to decrypt messages locally. It does not break end-to-end encryption in transit; instead it grabs data after your device has already unlocked it for display. That quiet timing is what makes it especially dangerous, because everything looks normal until the theft is happening.
Sturnus wires together overlays, keylogging and deep UI inspection to build many fallback routes for stealing credentials. It uses HTML overlays that mimic real banking screens and sends the information through a WebView straight to the operator. At the same time, it leverages Accessibility Services as a persistent keylogger, watching text input, the active app and the UI tree to reconstruct interactions even when screenshots are blocked.
NEW ANDROID MALWARE CAN EMPTY YOUR BANK ACCOUNT IN SECONDS
Beyond scraping text, the malware monitors messaging apps such as WhatsApp, Telegram and Signal and captures messages the moment those apps decrypt them on-screen. That means messages remain encrypted over the network but are visible to the trojan once shown on the device. Sturnus also supports live screen streaming and a lean mode that sends interface data only, enabling precise taps and text injection without obvious on-screen activity.
Getting Device Administrator rights is part of the cleanup-resistant playbook Sturnus uses to survive removal attempts. If you try to open the settings page that would revoke those rights, the malware can detect it and steer you away. It also keeps an eye on battery state, SIM swaps, developer options and network conditions to decide how aggressively to act, and it encrypts its command traffic with standard crypto to blend in.
For financial fraud the toolkit is broad: overlays, keylogging, UI-tree harvesting and direct text injection let attackers capture or fake credentials. In some cases the trojan blacks out the screen with a full-screen overlay while the attacker completes transactions in the background. Victims see nothing during these silent operations until balances are already hit.
If you want to reduce your risk, start by avoiding sideloaded APKs from forwarded links, sketchy websites and third-party stores. Banking malware often rides disguised installers that promise updates, coupons or new features, so only install apps from official sources unless you can verify the developer and file hashes. If an app asks unexpectedly for Accessibility or device administrator access, stop and uninstall it right away unless the app explicitly needs those permissions.
Keep your phone updated because many Android threats target unpatched systems. If your device no longer receives security updates it becomes a softer target for banking trojans. Also be cautious with custom ROMs unless you know how they handle security patches and Play Protect integration.
Google Play Protect catches a lot of known threats, but it is not perfect, especially against fresh families that employ stealthy overlays and accessibility abuse. Consider a reputable third-party security app for extra detection and behavioral monitoring, since those tools can alert you to screen-logging or suspicious remote control attempts. Strong antivirus and antimalware software remain a practical last line of defense for most users.
Data brokers and leaked databases make targeted attacks easier by supplying attackers with phone numbers and emails to bait victims with convincing messages. A data removal service can reduce your exposure by clearing broker listings, though no service can wipe every trace. Shrinking your public footprint forces attackers to work harder and reduces the odds you’ll be singled out for tailored malware lures.
DATA BREACH EXPOSES 400,000 BANK CUSTOMERS’ INFO
Watch out for sudden or unusual login prompts inside apps, and never enter bank details into a screen that appears unexpectedly after launching an app. If a prompt looks off, close the app and reopen it from your app drawer to confirm whether the request is legitimate. And when in doubt, contact your bank through official channels before responding to any message or installing anything that arrives via SMS, WhatsApp, email or social links.
