The Sturnus Android banking trojan steals credentials from Google Play Store apps
NEWNow you can listen to Fox News articles!
A new Android banking trojan called Sturnus is shaping up to be one of the most powerful threats we’ve seen in a long time. It’s still in early development, but it’s already behaving like a fully mature project.
Once it infects a device, it can take control of your screen, steal your banking information and read encrypted conversations in apps you trust. The worrying part is how quietly it works in the background. You think your messages are safe because they’re end-to-end encrypted, but this malware simply waits for the phone to de-encrypt before grabbing everything.
It is important to note, however, that Sturnus does not break encryption; it only captures messages after your apps have decrypted them on your device.
Sign up for my FREE CyberGuy report
Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join CYBERGUY.COM newspaper.
The Sturnus malware uses fake screens that mimic real banking apps to steal your information in seconds. (Kurt “CyberGuy” Knutsson)
A closer look at malware capabilities
Sturnus includes several attack layers that give operators full visibility into the device, as reported by cybersecurity research firm ThreatFabric. It uses HTML overlays that mimic real banking applications to trick you into typing in your information. Everything you enter goes directly to the attacker with a WebView that transfers data quickly. It also uses a key entry system with the Android Accessibility Service. This allows it to capture text as you type, track which app is open, and map every UI element on the screen. Even if apps block screenshots, the malware keeps track of the UI tree in real time, enough to reconstruct what you’re doing.
NEW ANDROID MALWARE CAN ACCESS YOUR BANK ACCOUNT IN SECONDS
On top of overlays and keystrokes, the malware monitors WhatsApp, Telegram, Signal, and other messaging apps. It waits for these apps to decrypt messages locally, then captures the text right on the screen. This means that your conversations may remain encrypted on the network, but when a message appears on your screen, Sturnus sees the entire conversation. It also includes a full remote control feature with live screen streaming and a high-performance mode that only sends interface data. This allows precise tapping, text injection, scrolling and permissions without showing any activity to the victim.
How Sturnus stays hidden and steals money
The malware protects itself by seizing Device Administrator privileges and preventing any attempt to remove it. If you open a settings page that might disable those permissions, Sturnus quickly detects it and removes you from the screen before you can take action. It also monitors battery status, SIM changes, developer mode, network conditions and even forensic investigation signals to determine behavior. All this data returns to the command and control server via a combination of WebSocket and HTTP channels protected with RSA and AES encryption.
When it comes to stealing funds, malware has several ways to take over your accounts. It can collect data through overlays, keylogging, UI tree monitoring and direct text injection. If needed, it can darken your screen with a full-screen overlay while the attacker performs fraudulent activities in the background. Since the screen is hidden, you have no idea what’s going on until it’s too late.
7 ways to stay safe from Android malware like Sturnus
If you want to protect yourself from threats like these, here are a few practical things you can start doing right away.
1) Install apps only from trusted and verified sources
Avoid downloading APKs from forwarded links, shady websites, Telegram groups or third-party app stores. Banking malware spreads most effectively through side-loaded installers disguised as updates, coupons or new features. If you need an app that is not in the Google Play Store, verify the developer’s official site, check the hashes if they are provided and read the latest updates to make sure that the app is not pirated.
2) Check permission requests carefully before tapping allow
The most dangerous malware relies on Accessibility permissions because they allow full visibility of your screen and interactions. Device Administrator rights are very powerful as they can prevent deletion. If a simple application suddenly asks for this, stop immediately. These permissions should only be granted to applications that really need them, such as password managers or trusted access tools.
3) Keep your phone updated
Install system updates as soon as they arrive, as most Android banking trojans target older devices that don’t have the latest security patches. If your phone is no longer receiving updates, you are at risk, especially if you use financial apps. Avoid sideloading custom ROMs unless you know how they handle security patches and Google Play Protect.
HOW ANDROID MALWARE ALLOWS THIEVES TO ACCESS YOUR ATM CASH
4) Use strong antivirus software
The malware silently captures deleted messages from apps like WhatsApp, Telegram and Signal as they appear on your screen. (Kurt Knutsson)
Android phones come with Google Play Protect built-in, which catches most of the known malware families and warns you if apps are behaving suspiciously. But if you want maximum security and control, choose a third-party antivirus application. These tools can alert you when an app starts invading your screen or tries to take over your phone.
The best way to protect yourself from malicious links that contain malware, which may have access to your private information, is to install strong anti-virus software on all your devices. This protection can alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Find my picks for the best antivirus 2025 winners for your Windows, Mac, Android & iOS devices at Cyberguy.com.
5) Use a personal data deletion service
Many of these campaigns rely on data brokers, leaked databases and deleted profiles to build target lists. If your phone number, email, address or social handles are floating around on multiple seller sites, it’s much easier for attackers to reach you with malware links or designed scams. A personal data removal service helps clean up that step by removing your information from data brokers’ lists.
Although no service can guarantee the complete removal of your data from the Internet, a data removal service is definitely a smart choice. They don’t come cheap, and neither does your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. That’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of fraudsters transferring data from information breaches they may find on the dark web, making it harder for them to identify you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already out there on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already out there on the web: Cyberguy.com.
6) Treat unusual login screens and pop-ups as red flags
Trojan overlays often appear when you open your banking application or popular service. If the screen layout looks different or asks for information in a way you don’t recognize, close the app completely. Reopen it in your app drawer and see if the notification comes back. If it doesn’t, you’re probably holding an overlay. Never type banking information on screens that appear suddenly or appear out of place.
With remote control tools that stream your screen and automated tapping, attackers can move money behind the scenes without you noticing. (Felix Zahn/Photothek via Getty Images)
7) Be careful about the links and attachments you receive
Attackers often distribute malware through WhatsApp links, SMS messages and email attachments posing as invoices, refunds or delivery updates. If you find a link you didn’t expect, open your browser manually and search for the service instead. Avoid including anything that appears in the message, even if it appears to be from someone you know. Damaged accounts are the most common delivery method.
DATA BREAK EXPOSES 400,000 BANK CUSTOMER INFORMATION
The key to take Kurt
Sturnus is still a small malware family, but it already stands out for how much control it gives attackers. It leaves encrypted messages, steals bank information with multiple backup methods, and keeps a tight grip on the device by using administrator privileges and endless environmental checks. Even if current campaigns are limited, the level of sophistication here suggests a threat that is being prepared for larger operations. If it reaches widespread distribution, it could be one of the most damaging Android banking trojans in circulation.
Have scammers ever tried to trick you into installing an app or clicking a link? How did you handle it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS PROGRAM
Sign up for my FREE CyberGuy report
Get my best tech tips, emergency security alerts and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – free when you join CYBERGUY.COM newspaper.
Copyright 2025 CyberGuy.com. All rights reserved.
