Sturnus, an Android banking trojan, was reportedly spotted by MTI Security researchers.
Researchers warn Android users of wider, large scale Sturnus attacks
Photo Credit: Unsplash/ Desola Lanre-Ologun
Android devices are vulnerable to a newly-found malware, dubbed Sturnus, which can access a user's banking credentials, according to a report citing cybersecurity researchers. It is also said to be capable of reading a user's end-to-end encrypted chats on various instant messaging services, like WhatsApp, Telegram, and Signal, without breaching the encryption code. Termed as an Android Banking Trojan, the malware is primarily targeting users in Southern and Central European countries, the report added. However, Google has yet to release a new security patch that would fix the vulnerabilities being leveraged by the trojan.
ThreatFabric, a publication that focuses on cyberattacks and software vulnerabilities, reports that MTI Security researchers have identified a new Android Banking Trojan, called Sturnus. The malware is capable of replicating the login pages of various banking apps on a user's phone, compelling them to log in to steal their banking credentials. Moreover, it grants “extensive remote” access to the attackers, which allows them to “observe all user activity”.
Sturnus also enables the bad actors to “inject” text without being in physical contact with the Android device. They can also remotely black out the screens of devices to “execute fraudulent transactions in the background”. By making the screen blank, a user does not get to know about said transactions till the money has actually been transferred to an account.
Another concerning factor is that Sturnus can give attackers access to a user's end-to-end encrypted messages. The malware does not need a key to decrypt codes, as it can read the messages after they have been decrypted by capturing the screen of an Android device. It can reportedly “monitor communications” done through WhatsApp, Telegram, and Signal. All three apps provide end-to-end encryption, claiming that even they can't access a user's messages.
The report added that Sturnus' makers are primarily targeting victims in Southern and Central European countries. The researchers believe that the Android Banking Trojan is still in its early stages, and the attackers could still be evaluating and tuning the malware, as only a “few” victims have been spotted so far. The bad actors are reportedly conducting “short, intermittent” attack campaigns. However, the researchers warn that there could be large scale and widespread attacks soon.
Catch the latest from the Consumer Electronics Show on Gadgets 360, at our CES 2026 hub.