NEWNow you can listen to Fox News articles!
new Banking Trojan for Android called Sturnus, looks set to become one of the most powerful threats we've ever seen. It's still in its early stages of development, but it already behaves like a fully mature operation.
Once it infects your device, it can take over your screen, steal your banking credentials, and even read encrypted chats from apps you trust. What's disturbing is how quietly it runs in the background. You think your messages are safe because they are fully encrypted, but this malware just waits for your phone to decrypt them before intercepting everything.
However, it is important to note that Sturnus does not break encryption; it only captures messages after your apps decrypt them on your device.
Subscribe to my FREE CyberGuy Report
Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Sturnus malware uses deceptive screens that mimic real banking applications to steal your credentials in seconds. (Kurt “CyberGuy” Knutsson)
A detailed overview of the malware's capabilities
Sturnus combines multiple attack layers that give the operator nearly complete visibility into the device, according to cybersecurity research firm ThreatFabric. It uses HTML overlays that mimic real banking apps to trick you into entering your credentials. Everything you enter goes straight to the attacker via a WebView, which instantly forwards the data. It also uses an aggressive keylogging system through the Android Accessibility Service. This allows it to capture text as you type, keep track of what app is open, and display every UI element on the screen. Even when apps block screenshots, the malware continues to monitor the UI tree in real time, which is enough to restore what you're doing.
NEW Android MALWARE CAN DOWN YOUR BANK ACCOUNT IN SECONDS
Apart from overlays and keylogging, the malware monitors WhatsApp, Telegram, Signal and other messaging apps. It waits for these apps to decrypt messages locally and then records the text directly from the screen. This means that your chats can remain encrypted online, but once a message appears on your display, Sturnus will see the entire conversation. It also includes full remote control functionality with real-time screen streaming and a more efficient mode that only sends interface data. This allows precise clicking, typing, scrolling, and permissions without showing the victim any action.
How Sturnus hides and steals money
The malware protects itself by taking over the device's administrator rights and blocking any attempts to remove it. If you open a settings page that might disable these permissions, Sturnus will immediately detect this and remove you from the screen before you can do anything. It also monitors battery status, SIM card changes, developer mode, network status, and even forensic signs to decide how to proceed. All this data is returned to the management server through a combination of WebSocket and HTTP channels, protected by RSA and AES encryption.
When it comes to financial theft, malware has several ways to take over your accounts. It can collect credentials through overlays, keylogging, UI tree monitoring, and direct text injection. If necessary, it can darken your screen with a full-screen overlay while the attacker performs fraudulent transactions in the background. Because the screen is hidden, you won't notice anything is happening until it's too late.
7 Ways to Protect Against Android Malware Like Sturnus
If you want to protect yourself from such threats, here are some practical things you can start doing now.
1) Install applications only from reliable and verified sources.
Avoid downloading APK files from redirected links, questionable websites, Telegram groups or third-party app stores. Banking malware most effectively spreads through downloaded installers masquerading as updates, coupons, or new features. If you need an app that isn't on the Play Store, check the developer's official website, check the hashes if there are any, and read recent reviews to make sure the app hasn't been hacked.
2) Check permission requests carefully before clicking Allow.
Most dangerous malware relies on access permissions as they provide full visibility of your screen and interactions. Device administrator rights are even more powerful because they can block deletion. If a simple utility application suddenly requests them, stop immediately. These permissions should only be granted to applications that really need them, such as password managers or accessibility tools that you trust.
3) Keep your phone updated
Install system updates as soon as they become available, as many Android banking Trojans target older devices that lack the latest security updates. If your phone no longer receives updates, you are at higher risk, especially when using financial apps. Avoid downloading custom ROMs unless you know how they handle security patches and Google Play Protect.
HOW ANDROID MALWARE ALLOWS THIEVES ACCESS TO YOUR ATM CASH
4) Use powerful antivirus software.
The malware quietly intercepts decrypted messages from apps like WhatsApp, Telegram and Signal right the moment they appear on your screen. (Kurt Knutsson)
Android phones come with built-in Google Play Protect, which detects a wide range of known malware families and alerts you when apps behave suspiciously. But if you want more security and control, choose a third-party antivirus app. These tools can alert you when an app begins to log your screen or tries to take over control of your phone.
The best way to protect yourself from malicious links that install malware and potentially access your personal information is to install powerful antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.
Get my picks for 2025's top antivirus protection winners for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
5) Use the personal data deletion service
Many of these campaigns rely on data brokers, leaked databases, and scraped profiles to create lists of targeted people. If your phone number, email address, address or social media accounts are present on dozens of brokerage sites, it becomes much easier for criminals to contact you through malicious links or special scams. An identity removal service helps clean up this trail by removing your information from data brokers' lists.
While no service can guarantee complete removal of your data from the internet, a data removal service is indeed a smart choice. They don't come cheap, and neither does your privacy. These services do all the work for you, actively monitoring and systematically removing your personal information from hundreds of websites. This is what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk that scammers will link leaked data to information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data deletion services and get a free scan to see if your personal information is already posted online by visiting Cyberguy.com.
Get a free scan to see if your personal information has already been published online: Cyberguy.com.
6) Consider unusual login screens and pop-ups a red flag.
Trojan overlays often appear when you open your banking application or a popular service. If the screen layout looks different or asks for credentials in a way you don't understand, close the app completely. Open it again from the app drawer and see if the prompt appears. If it doesn't, you've probably caught an overlay. Never enter bank details on screens that appear suddenly or seem out of place.
By using remote management tools that broadcast your screen and automate your clicks, criminals can quietly move money without you noticing. (Felix Zahn/Photothek via Getty Images)
7) Be careful with the links and attachments you receive.
Attackers often distribute malware through WhatsApp links, SMS messages and email attachments, posing as invoices, refunds or delivery notifications. If you receive a link you weren't expecting, open your browser manually and search for the service instead. Don't install anything that comes from a message, even if it appears to come from someone you know. Compromised accounts are a common delivery method.
DATA LEAK COVERS INFORMATION ABOUT 400,000 BANK CLIENTS
Kurt's Key Takeaway
Sturnus is still a young malware family, but it already stands out for the amount of control it gives attackers. It bypasses encrypted messages, steals banking credentials using multiple backup methods, and maintains strong control over the device through administrator privileges and constant environmental checks. Even if current campaigns are limited, their level of sophistication suggests a threat that is being refined for larger operations. If it reaches widespread adoption, it could become one of the most malicious Android banking Trojans in circulation.
Have scammers ever tried to trick you into installing the application or click on the link? How did you deal with it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE FOX NEWS APP
Subscribe to my FREE CyberGuy Report
Get my best tech tips, breaking security alerts, and exclusive offers straight to your inbox. Plus, you'll get instant access to my Ultimate Scam Survival Guide – free when you join my CYBERGUY.COM newsletter.
Copyright CyberGuy.com 2025. All rights reserved.
