According to SamMobile, security researchers from MTI Security have identified a privately operated Android banking trojan called Sturnus that’s targeting banking applications. This malware can bypass encrypted messaging apps like WhatsApp, Telegram, and Signal by simply recording content from the device’s screen after messages are decrypted. It’s capable of full device takeover and can steal login credentials by displaying convincing fake banking app login screens. The malware provides attackers with significant remote control capabilities, allowing them to observe user activity, push text to devices, and black out screens while executing fraudulent transactions. Currently, Sturnus appears to be in development or limited testing phase with targeted attacks across Southern and Central Europe, suggesting groundwork for wider attacks.
The screen recording trick changes everything
Here’s what really worries me about Sturnus: it completely bypasses the encryption that makes apps like WhatsApp and Signal supposedly secure. The malware isn’t trying to break the encryption mathematically – that’s nearly impossible with modern encryption. Instead, it’s just recording your screen after the apps have already decrypted the messages for you to read. Basically, it’s attacking the weakest link in the security chain: the human-readable output. And that’s terrifying because it means no amount of encryption can protect you if malware has this level of access to your device.
Your banking apps are the real target
The fake login screens are particularly clever – and dangerous. You think you’re logging into your banking app, but you’re actually handing your credentials directly to attackers. What makes this so effective is that the fake screens look completely legitimate. They’re not the clumsy, obviously fake pages we used to see with phishing attacks. These are sophisticated overlays that perfectly mimic the real banking apps. And while this is happening, the attackers can black out your screen so you don’t even see the fraudulent transactions happening in the background.
The calm before the storm?
Right now, Sturnus seems to be in limited testing in Europe. But that’s probably the most concerning part. Why would attackers limit themselves to a small geographic area unless they’re perfecting their techniques before going global? This feels like we’re seeing the early stages of what could become a massive threat. The fact that it’s privately operated rather than being sold on dark web markets suggests this might be a more sophisticated operation than your average malware.
What you can actually do about it
So what’s the defense here? First, always download apps from official sources like the Google Play Store or Samsung Galaxy Store. Be suspicious of any app that requests unnecessary permissions, especially accessibility services or screen recording capabilities. Enable two-factor authentication everywhere you can – it won’t stop all attacks, but it makes credential theft much less useful to attackers. And keep your device updated with the latest security patches. Google and Samsung will likely be working on detection methods now that this threat has been publicly identified. The researchers at ThreatFabric have done us all a service by exposing this early.
