Cybersecurity researchers have found a brand new, extremely harmful Android banking malware known as Sturnus, named after the widespread starling or ‘songbird’ due to its complicated and ‘chaotic’ communication model.
The Dutch cybersecurity agency ThreatFabric recognized this privately-operated risk, which has options which can be merely much more superior and harmful than what we’ve seen earlier than.
In response to ThreatFabric’s weblog put up, printed on November 20, 2025, Sturnus is way extra superior than earlier malware, able to stealing your financial institution particulars, in a position to view chat content material on apps like WhatsApp, Telegram, and Sign by abusing Android’s Accessibility Service
The way it Decodes Your ‘Encrypted’ Chats
Though these apps use end-to-end encryption, which implies solely you and the particular person you’re chatting with can learn the messages, Sturnus fully will get round this safety. It really works by counting on the Android Accessibility Service to learn the message content material instantly from the display screen after the authentic app has decrypted it. This implies the attackers can see full conversations, contacts, and all incoming and outgoing messages in actual time.
A Totally Featured Risk
The malware is distributed by social engineering campaigns, together with Phishing (electronic mail), Smishing (SMS textual content messages), or through a malicious Dropper utility, which methods customers into putting in the ultimate malware as an unofficial APK file
As soon as Sturnus infects a telephone, it makes use of two built-in strategies to steal delicate information: deploying faux login screens, generally known as HTML overlays, that completely mimic banking apps; and concurrently using a complete keylogging pipeline through the Accessibility Service to report each keystroke and display screen faucet.
Additional probing revealed that the malware offers the attackers in depth distant management. They will sort, monitor all exercise, and, most disturbingly, show a black display screen overlay to cover their actions whereas it silently executes fraudulent transactions within the background. The malware even makes use of its keylogging skill to steal PINs and Passwords, making it simple to unlock the system itself.
The Assault Standing and Targets
It’s price noting that Sturnus is very persistent. It features particular privileges on the telephone, known as Machine Administrator rights, and actively protects them. If a consumer tries to disable these rights or uninstall the malware in settings, Sturnus detects the try and mechanically stops the motion. This defence makes it very tough to eliminate it as soon as put in.
Researchers assess that though this malware shouldn’t be but widespread and is presently in an early testing section, it’s already absolutely purposeful. Its configurations present a right away concentrate on focusing on monetary establishments throughout Southern and Central Europe. This focus on high-value apps and particular areas suggests the criminals are merely preparing for a a lot bigger, extra coordinated international assault.
Skilled Commentary
In commentary shared completely with Hackread.com, Aditya Sood, VP of Safety Engineering and AI Technique at Aryaka, supplied perception into the malware’s technical edge and broader dangers.
“Sturnus poses a special form of risk in comparison with different Android malware because of its skill to make use of a mixture of plaintext, RSA, and AES-encrypted communication with the C2 server it responds to,” Sood stated.
“The mix of those three permits Sturnus to mix extra simply into regular community patterns, whereas additionally hiding instructions and stolen information from defence methods. This superior stage of evasion and resilience from the malware disrupts signature-based detection and might impede reverse-engineering efforts, making it more durable to examine Sturnus’ community visitors or get better the contents that it steals.”
Sood additionally highlighted the danger to organisations: “As a banking trojan, Sturnus is primarily focusing on monetary organisations. Nonetheless, the flexibility to steal messages from end-to-end encrypted platforms like Sign may spell critical issues for organisations, as these purposes are used throughout a number of industries to safe delicate or confidential info.”
He advises, “People who’re at-risk, or who’re in charge of delicate info, should keep away from downloading APK recordsdata from outdoors Google Play, and will constantly monitor for malicious exercise if an infection is suspected.”
