New malware can read your chats and steal your money
NEWNow you can listen to News articles!
A new banking Trojan for Android called Sturnus is shaping up to be one of the most powerful threats we’ve seen in a long time. It is still in an early stage of development, but already behaves like a fully mature operation.
Once it infects a device, it can take over your screen, steal your banking credentials, and even read encrypted chats from apps you trust. The worrying thing is how quietly it runs in the background. You think your messages are safe because they’re end-to-end encrypted, but this malware simply waits for your phone to decrypt them before taking over everything.
It is important to note, however, that Sturnus does not break the encryption; It only captures messages after your apps decrypt them on your device.
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Sturnus malware uses deceptive screens that imitate real banking applications to steal your credentials in seconds. (Kurt “CyberGuy” Knutsson)
A closer look at the malware’s capabilities
Sturnus combines several attack layers that give the operator almost complete visibility into the device, cybersecurity research firm ThreatFabric reported. It uses HTML overlays that imitate real banking applications to trick you into typing your credentials. Everything you enter goes directly to the attacker through a WebView that forwards the data instantly. It also runs an aggressive keylogging system through the Android Accessibility Service. This allows you to capture text as you type, track which app is open, and map each UI element on the screen. Even when apps block screenshots, the malware still crawls the UI tree in real time, which is enough to reconstruct what you’re doing.
NEW ANDROID MALWARE CAN EMPTY YOUR BANK ACCOUNT IN SECONDS
In addition to overlays and keylogging, the malware monitors WhatsApp, Telegram, Signal, and other messaging apps. Wait for these apps to decrypt the messages locally and then capture the text directly from the screen. This means your chats can remain encrypted on the network, but once the message appears on your screen, Sturnus sees the entire conversation. It also includes a full remote control feature with live screen streaming and a more efficient mode that sends only interface data. This allows for precise touches, text injection, scrolling, and permission approvals without showing any activity to the victim.
How Sturnus hides and steals money
The malware protects itself by gaining administrator privileges on the device and blocking any attempts to remove it. If you open the settings page that could disable those permissions, Sturnus immediately detects this and moves you away from the screen before you can act. It also monitors battery status, SIM changes, developer mode, network conditions, and even signs of a forensic investigation to decide how to behave. All of this data returns to the command and control server through a combination of WebSocket and HTTP channels protected with RSA and AES encryption.
When it comes to financial theft, malware has several ways to take over your accounts. You can collect credentials using overlays, keylogging, UI tree monitoring, and direct text injection. If necessary, you can obscure the screen with a full-screen overlay while the attacker conducts fraudulent transactions in the background. Since the screen is hidden, you have no idea anything is happening until it’s too late.
Seven ways to protect yourself from Android malware like Sturnus
If you want to protect yourself from threats like this, here are some practical things you can start doing right away.
1) Install apps only from trusted and verified sources
Avoid downloading APKs from forwarded links, suspicious websites, Telegram groups or third-party app stores. Banking malware spreads most effectively through installers disguised as updates, coupons, or new features. If you need an app that is not on the Play Store, check the developer’s official site, check the hashes if provided, and read recent reviews to make sure the app has not been hijacked.
2) Check the permission requests carefully before tapping allow
The most dangerous malware relies on accessibility permissions because they allow full visibility of your screen and your interactions. Device administrator rights are even more powerful as they can block deletion. If a simple utility application suddenly prompts you, stop immediately. These permissions should only be granted to applications that actually need them, such as password managers or accessibility tools that you trust.
3) Keep your phone up to date
Install system updates as soon as they arrive, as many Android banking Trojans target older devices that lack the latest security patches. If your phone no longer receives updates, you are at greater risk, especially when using financial apps. Avoid downloading custom ROMs unless you know how they handle security patches and Google Play Protect.
HOW ANDROID MALWARE ALLOWS THIEVES TO ACCESS YOUR ATM CASH
4) Use powerful antivirus software
The malware silently captures decrypted messages from apps like WhatsApp, Telegram, and Signal exactly as they appear on the screen. (Kurt Knutsson)
Android phones come with built-in Google Play Protect, which detects a large number of known malware families and warns you when apps behave suspiciously. But if you want more security and control, choose a third-party antivirus application. These tools can alert you when an app starts recording your screen or tries to take over your phone.
The best way to protect yourself from malicious links that install malware and potentially access your private information is to have powerful antivirus software installed on all your devices. This protection can also alert you to phishing emails and ransomware scams, keeping your personal information and digital assets safe.
Get my picks for the best antivirus protection winners of 2025 for your Windows, Mac, Android, and iOS devices at Cyberguy.com.
5) Use a personal data deletion service
Many of these campaigns rely on data brokers, filtered databases, and scraped profiles to create lists of people to target. If your phone number, email, address, or social handles are floating around dozens of broker sites, it will be much easier for attackers to contact you with malware links or personalized scams. A personal data removal service helps clean up that footprint by removing your information from data broker lists.
While no service can guarantee complete removal of your data from the Internet, a data deletion service is truly a smart choice. They are not cheap, and neither is your privacy. These services do all the work for you by actively monitoring and systematically deleting your personal information from hundreds of websites. It’s what gives me peace of mind and has proven to be the most effective way to delete your personal data from the Internet. By limiting the information available, you reduce the risk of scammers cross-referencing leak data with information they can find on the dark web, making it harder for them to target you.
Check out my top picks for data removal services and get a free scan to find out if your personal information is already available on the web by visiting Cyberguy.com.
Get a free scan to find out if your personal information is already available on the web: Cyberguy.com.
6) Treat unusual login screens and pop-ups as red flags
Trojan overlays usually appear when you open your bank’s app or a popular service. If the screen layout looks different or asks for credentials in a way you don’t recognize, close the app completely. Reopen it from your app drawer and see if the message appears again. If not, you have probably detected an overlap. Never enter bank details on screens that appear suddenly or appear out of place.
With remote control tools that broadcast your screen and automate touches, attackers can move money behind the scenes without you realizing it. (Felix Zahn/Photothek via Getty Images)
7) Be careful with the links and attachments you receive
Attackers frequently distribute malware via WhatsApp links, SMS messages, and email attachments that pose as invoices, refunds, or delivery updates. If you receive a link that you were not expecting, open your browser manually and search for the service. Avoid installing anything that comes from a message, even if it appears to be from someone you know. Compromised accounts are a common delivery method.
DATA BREACH EXPOSES THE INFORMATION OF 400,000 BANK CUSTOMERS
Kurt’s Key Takeaway
Sturnus is still a young malware family, but it already stands out for the control it gives attackers. Prevents encrypted messages, steals banking credentials with multiple backup methods, and maintains strong device control through administrator privileges and constant environmental controls. Even if current campaigns are limited, the level of sophistication here suggests a threat that is being honed for larger operations. If it achieves wide distribution, it could become one of the most harmful Android banking Trojans out there.
Have scammers ever tried to trick you into installing an app or clicking a link? How did you handle it? Let us know by writing to us at Cyberguy.com.
CLICK HERE TO DOWNLOAD THE News APP
Sign up to receive my FREE CyberGuy report
Get my best tech tips, urgent security alerts, and exclusive offers delivered right to your inbox. Plus, you’ll get instant access to my Ultimate Guide to Surviving Scams, free when you join me CYBERGUY.COM information sheet.
Copyright 2025 CyberGuy.com. All rights reserved.
Kurt “CyberGuy” Knutsson is an award-winning technology journalist with a deep love for technology, gear and gadgets that improve lives with his contributions to News and News Business since mornings on “News & Friends.” Do you have any technical questions? Get Kurt’s free CyberGuy newsletter, share your voice, a story idea or comment on CyberGuy.com.