newYou can now listen to Fox News articles!
A new Android banking Trojan called Sturnus looks to be shaping up to be one of the most capable threats we’ve seen in a while. It’s still in the early development stage, but it’s already working as a fully mature process.
Once it infects a device, it can take over your screen, steal your banking credentials, and even read encrypted chats from apps you trust. The worrying part is how quietly it works in the background. You think your messages are safe because they are end-to-end encrypted, but this malware simply waits for the phone to decrypt them before taking over everything.
It is important to note, however, that Sturnus does not break the encryption; It only captures messages after your apps decrypt them on your device.
Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.
Sturnus malware uses spoofed screens that mimic real banking apps to steal your credentials in seconds. (Kurt “CyberGuy” Knutson)
A closer look at the malware’s capabilities
Sturnus combines several attack layers that give the operator nearly complete visibility into the device, according to cybersecurity research firm ThreatFabric. It uses HTML overlays that mimic real banking applications to trick you into typing your credentials. Everything you enter goes directly to the attacker through the WebView which immediately forwards the data. It also runs a strict keylogging system through the Android Accessibility Service. This allows him to capture text as you type, keep track of the open application, and map each UI element on the screen. Even when apps block screenshots, the malware continues to trace the UI tree in real time, enough to reconstruct what you’re doing.
New Android malware can empty your bank account in seconds
On top of overlays and keylogging, the malware monitors WhatsApp, Telegram, Signal, and other messaging apps. It waits for these applications to decrypt messages locally, then captures the text directly from the screen. This means that your chats may remain encrypted across the network, but as soon as the message appears on your screen, Sturnus sees the entire conversation. It also includes full remote control with live screen streaming and a more efficient mode that sends interface data only. This allows precise clicks, text entry, swipes, and permission approvals without showing any activity to the victim.
How Sturnus stays hidden and steals money
The malware protects itself by taking over device administrator privileges and blocking any attempt to remove it. If you open a settings page that can disable these permissions, Sturnus will detect it immediately and move you away from the screen before you can act. It also monitors battery health, SIM card changes, developer mode, network conditions, and even signs of a criminal investigation to determine how to act. All of this data returns to the command and control server through a combination of WebSocket and HTTP channels protected with RSA and AES encryption.
When it comes to financial theft, malware has several ways to take control of your accounts. It can collect credentials through overlays, keylogging, UI tree monitoring, and direct script injection. If necessary, this can obscure your screen with a full-screen overlay while the attacker makes fraudulent transactions in the background. Since the screen is hidden, you have no idea anything is happening until it’s too late.
7 ways you can stay safe from Android malware like Sturnus
If you want to protect yourself from such threats, here are some practical things you can start doing right away.
1) Only install apps from trusted and verified sources
Avoid downloading APK files from redirected links, suspicious websites, Telegram groups, or third-party app stores. Banking malware spreads most effectively through sidebar installers disguised as updates, coupons, or new features. If you need an app that’s not in the Play Store, check the developer’s official website, check the hash if one is provided, and read recent reviews to make sure the app isn’t hacked.
2) Check permission requests carefully before clicking Allow
Most dangerous malware relies on accessibility permissions because they allow full visibility of your screen and interactions. Device administrator rights are more powerful as they can block removal. If a simple help app suddenly asks for these things, stop immediately. You should only grant these permissions to apps that really need them, such as password managers or accessibility tools that you trust.
3) Keep your phone updated
Install system updates as soon as they arrive, since many Android banking Trojans target older devices that lack the latest security patches. If your phone is no longer receiving updates, you are at greater risk, especially when using financial apps. Avoid sideloading custom ROMs unless you know how to work with security patches and Google Play Protect.
How Android malware allows thieves to access your cash at ATMs
4) Use powerful antivirus software
The malware quietly picks up decrypted messages from apps like WhatsApp, Telegram and Signal as soon as they appear on your screen. (Kurt Knutson)
Android phones come with built-in Google Play Protect, which catches a wide range of known malware families and warns you when apps behave suspiciously. But if you want greater security and control, choose a third-party antivirus app. These tools can alert you when an app starts recording your screen or tries to take over your phone.
The best way to protect yourself from malicious links that install malware, and potentially access your private information, is to install strong antivirus software on all your devices. This protection can also alert you to phishing emails and ransomware, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for Windows, Mac, Android, and iOS at Cyberguy.com.
5) Use a personal data removal service
Many of these campaigns rely on data brokers, leaked databases, and deleted profiles to create lists of people to target. If your phone number, email, address, or social accounts are on dozens of broker sites, it will be easier for attackers to reach you through malware links or customized scams. A depersonalization service helps clean up that footprint by deleting your information from data broker lists.
While no service can guarantee complete removal of your data from the Internet, a data removal service is truly a smart choice. It’s not cheap, and neither is your privacy. These services do all the work for you by systematically monitoring and scraping your personal information from hundreds of websites. This gives me peace of mind and has proven to be the most effective way to clear your personal data from the Internet. By limiting the information available, you reduce the risk of fraudsters cross-referencing data from breaches to information they might find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free check to see if your personal information really exists on the web by visiting Cyberguy.com.
Get a free check to see if your personal information is already on the web: Cyberguy.com.
6) Treat unusual login screens and pop-ups as red flags
Trojan overlays often appear when you open your bank app or a popular service. If the screen layout looks different or is asking for credentials in a way you don’t recognize, close the app completely. Reopen it from your app drawer and see if the prompt comes back or not. If it doesn’t, you’ve probably caught an overlay. Never type banking details into screens that suddenly appear or look out of place.
Using remote controls that stream your screen and automate your clicks, attackers can move money behind the scenes without you even noticing. (Felix Zhan/Phototec via Getty Images)
7) Be careful about the links and attachments you receive
Attackers often distribute malware through WhatsApp links, SMS messages, and email attachments that pretend to be invoices, refunds, or delivery updates. If you receive a link you weren’t expecting, manually open your browser and search for the service instead. Avoid pinning anything that comes from a message, even if it appears to be from someone you know. Hacked accounts are a common delivery method.
The data breach exposed 400,000 bank customers’ information
Key takeaway for Kurt
Sturnus is still a young malware family, but it already stands out for the amount of control it offers attackers. It avoids encrypted messages, steals banking credentials using multiple backup methods, and maintains a strong grip on the device through administrator privileges and constant environmental scans. Even if current campaigns are limited, the level of sophistication here indicates a threat that is being optimized for larger operations. If widely distributed, it could become one of the most malicious Android banking Trojans.
Have scammers ever tried to trick you into installing an app or clicking a link? How did you deal with it? Let us know by writing to us at Cyberguy.com.
Click here to download the FOX NEWS app
Sign up for my free CyberGuy report
Get the best tech tips, breaking security alerts, and exclusive deals delivered straight to your inbox. Plus, you’ll get instant access to my Ultimate Scam Survival Guide – for free when you join my site CYBERGUY.COM Newsletter.
Copyright 2025 CyberGuy.com. All rights reserved.