Experts warn of a new spyware 'Sturnus' infiltrating Android phones worldwide
- Last updated: November 22, 2025 | 17:13 ..
Gulf Today Report
Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus, which enables credential theft and full device takeover for the purpose of financial fraud.
One of its key features is the ability to bypass encrypted messaging by capturing content directly from the device screen after decryption. This allows it to monitor communications via WhatsApp, Telegram, and Signal.
Another notable feature is its ability to launch overlay attacks by displaying fake login screens on top of banking apps to steal users' credentials. According to the Dutch mobile security company, Sturnus is privately operated and currently believed to be in the evaluation stage.
The malware has been designed to specifically target financial institutions in Southern and Central Europe, with region-specific overlays.
The name 'Sturnus' is a nod to the fact that it uses a mixed communication pattern that blends plaintext, AES and RSA. ThreatFabric likens this to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known for its vocal mimicry.
Once launched, the Trojan contacts a remote server via WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel that allows threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.
As well as displaying fake overlays for banking apps, Sturnus can exploit Android's accessibility services to capture keystrokes and record user interface (UI) interactions. Once an overlay for a specific bank has been served to the victim and their credentials have been harvested, the overlay is disabled to avoid arousing suspicion.
Furthermore, it can display a full-screen overlay that blocks all visual feedback and mimics the Android operating system update screen. This gives users the impression that software updates are in progress when, in reality, it allows malicious actions to be carried out in the background.