New malware can read your chats and steal your money

A new Android banking trojan called Sturnus is shaping up to be one of the most capable threats we have seen in a while. It is still in early development, but it already behaves like a fully mature operation. Once it infects a device, it can take over your screen, steal your banking credentials, and even read encrypted chats from apps you trust. The worrying part is how quietly it works in the background. You think your messages are safe because they are end-to-end encrypted, but this malware simply waits for the phone to decrypt them before grabbing everything. However, it’s important to note that Sturnus does not break encryption; it only captures messages after your apps decrypt them on your device.

A closer look at the malware’s capabilities

Sturnus combines several attack layers that give the operator nearly full visibility into the device, as reported by cybersecurity research firm ThreatFabric. It uses HTML overlays that mimic real banking apps to trick you into typing your credentials. Everything you enter goes straight to the attacker through a WebView that forwards the data instantly. It also runs an aggressive keylogging system through the Android Accessibility Service. This lets it capture text as you type, follow which app is open, and map every UI element on the screen. Even when apps block screenshots, the malware keeps tracking the UI tree in real time, which is enough to reconstruct what you are doing.

On top of overlays and keylogging, the malware monitors WhatsApp, Telegram, Signal, and other messaging apps. It waits for these apps to decrypt messages locally, then captures the text right from the screen. This means your chats may remain encrypted over the network, but once the message appears on your display, Sturnus sees the entire conversation. It also includes a full remote control feature with live screen streaming and a more efficient mode that sends only interface data. This allows precise taps, text injection, scrolling, and permission approvals without showing any activity to the victim.

Threat Fabric

How Sturnus stays hidden and steals money

The malware protects itself by grabbing Device Administrator privileges and blocking any attempt to remove it. If you open the settings page that could disable those permissions, Sturnus detects it immediately and moves you away from the screen before you can act. It also monitors battery state, SIM changes, developer mode, network conditions, and even signs of forensic investigation to decide how to behave. All this data goes back to the command-and-control server through a mix of WebSocket and HTTP channels protected with RSA and AES encryption.

When it comes to financial theft, the malware has several ways to take over your accounts. It can collect credentials through overlays, keylogging, UI-tree monitoring, and direct text injection. If needed, it can black out your screen with a full-screen overlay while the attacker performs fraudulent transactions in the background. Since the screen is hidden, you have no idea anything is happening until it is too late.

7 ways you can stay safe from Android malware like Sturnus

If you want to protect yourself from threats like this, here are a few practical things you can start doing right away.

1) Install apps only from trusted and verified sources

Avoid downloading APKs from forwarded links, shady websites, Telegram groups, or third-party app stores. Banking malware spreads most effectively through sideloaded installers disguised as updates, coupons, or new features. If you need an app that isn’t in the Play Store, verify the developer’s official site, check hashes if provided, and read recent reviews to make sure the app hasn’t been hijacked.

2) Check permission requests carefully before tapping allow

Most dangerous malware relies on Accessibility permissions because they allow full visibility into your screen and interactions. Device Administrator rights are even more powerful since they can block removal. If a simple utility app suddenly asks for these, stop immediately. These permissions should only be granted to apps that genuinely need them, such as password managers or accessibility tools you trust.

3) Keep your phone updated

Install system updates as soon as they arrive, since many Android banking trojans target older devices that lack the latest security patches. If your phone is no longer receiving updates, you are at a higher risk, especially when using financial apps. Avoid sideloading custom ROMs unless you know how they handle security patches and Google Play Protect.

4) Use strong antivirus software

Android phones come with Google Play Protect built in, which catches a large chunk of known malware families and warns you when apps behave suspiciously. But if you want greater security and control, choose a third-party antivirus app. These tools can alert you when an app starts logging your screen or trying to take over your phone.

The best way to safeguard yourself from malicious links that install malware, potentially accessing your private information, is to have strong antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.

5) Use a personal data removal service

A lot of these campaigns rely on data brokers, leaked databases, and scraped profiles to build lists of people to target. If your phone number, email, address, or social handles are floating around on dozens of broker sites, it becomes much easier for attackers to reach you with malware links or tailored scams. A personal data removal service helps clean up that footprint by deleting your info from data broker listings.

While no service can guarantee the complete removal of your data from the internet, a data removal service is really a smart choice. They aren’t cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically erasing your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to erase your personal data from the internet. By limiting the information available, you reduce the risk of scammers cross-referencing data from breaches with information they might find on the dark web, making it harder for them to target you.

Is your personal information exposed online?

Run a free scan to see if your personal info is compromised. Results arrive by email in about an hour.

6) Treat unusual login screens and pop-ups as red flags

Trojan overlays often appear when you open your bank app or a popular service. If the screen layout looks different or asks for credentials in a way you don’t recognize, close the app completely. Reopen it from your app drawer and see if the prompt returns. If it doesn’t, you probably caught an overlay. Never type banking details into screens that appear suddenly or seem out of place.

7) Be cautious with links and attachments you receive

Attackers frequently distribute malware through WhatsApp links, SMS messages, and email attachments pretending to be invoices, refunds, or delivery updates. If you receive a link you weren’t expecting, open your browser manually and search for the service instead. Avoid installing anything that comes from a message, even if it appears to be from someone you know. Compromised accounts are a common delivery method.

Related Links: 

• Louvre heist exposes weak password problem
• 183 million email passwords leaked: Check yours now
• Best Password Managers expert reviewed 2025

Kurt’s key takeaway

Sturnus is still a young malware family, but it already stands out for how much control it gives attackers. It sidesteps encrypted messaging, steals banking credentials with multiple backup methods, and maintains a strong grip on the device through administrator privileges and constant environmental checks. Even if the current campaigns are limited, the level of sophistication here suggests a threat that is being refined for larger operations. If it reaches wide distribution, it could become one of the most damaging Android banking trojans in circulation.

Have scammers ever tried to trick you into installing an app or clicking a link? How did you handle it? Let us know in the comments below.

FOR MORE OF MY TECH TIPS & SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

Copyright 2025 CyberGuy.com. All rights reserved. CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.