A newly identified Android banking trojan named Sturnus is raising concern among mobile security researchers. First documented by ThreatFabric, this malware combines classic banking fraud tools with full-featured remote-access capabilities, allowing attackers to read private messages, bypass end‑to‑end encryption on popular messengers, and control infected smartphones almost as if they were holding them in their hands.
What Is the Sturnus Android Banking Trojan and Why It Matters
Sturnus belongs to the family of Android banking trojans – malware families designed to steal funds from online banking and payment applications. Unlike earlier generations that primarily relied on fake overlays to capture credentials, Sturnus adds robust remote administration and surveillance, significantly complicating detection and incident response.
ThreatFabric’s analysis shows that Sturnus can capture screen content, abuse the Android Accessibility Service, obtain device administrator rights, and use the VNC protocol to simulate legitimate user activity. Together, these features effectively turn a compromised smartphone into an open terminal for the attacker, blurring the line between a banking trojan, spyware, and a remote access tool (RAT).
How Sturnus Infects Android Devices
Infections typically begin with the installation of a malicious APK disguised as a legitimate application. ThreatFabric observed samples impersonating Google Chrome (package com.klivkfbky.izaybebnx) and an app named Preemix Box (package com.uvxuthoq.noscjahae). These fake apps closely mimic the look and feel of legitimate software, reducing user suspicion.
While the full distribution chain is still being investigated, researchers suspect a mix of malvertising campaigns and direct delivery of APK files via messaging apps and social networks, a tactic well known from other Android banking trojans such as TeaBot and Anubis. This approach bypasses official app stores and takes advantage of users who enable installation from unknown sources.
Command-and-Control: Dual Channels and Strong Encryption
Sturnus uses a layered encryption model combining plaintext, RSA, and AES to protect its communication. After installation, the trojan connects to its command-and-control (C2) server, registers the device, and establishes two separate channels for continuous control.
HTTPS for Commands, WebSocket + AES for Real-Time VNC
The first channel relies on encrypted HTTPS traffic to receive commands and exfiltrate data, including device fingerprints and potentially sensitive information. The second channel is built on WebSocket and additionally protected with AES encryption, providing low-latency data transfer for live VNC sessions.
This split architecture, increasingly common in advanced mobile banking trojans, makes network analysis harder and allows attackers to separately manage command traffic and high-volume remote-control sessions, reducing the chances of simple anomaly-based detection.
Bypassing End-to-End Encryption in WhatsApp, Telegram, and Signal
One of Sturnus’s most notable capabilities is its ability to circumvent end‑to‑end encryption (E2EE) in messaging apps including WhatsApp, Telegram, and Signal. The trojan does not break cryptography or manipulate encryption keys. Instead, it operates on the endpoint, capturing data after it has been decrypted by the legitimate app.
By abusing Android Accessibility Service, Sturnus can read everything displayed on the screen: contact lists, chat overviews, incoming and outgoing messages, and notifications. Accessibility features are designed to support users with visual or motor impairments, but in the wrong hands they provide a powerful surveillance interface.
This highlights a fundamental limitation of E2EE: if the endpoint is compromised, encrypted communication offers little protection. Industry reports such as Verizon’s Data Breach Investigations Report repeatedly emphasize endpoint compromise as a key factor in successful attacks, and Sturnus is a clear example of this risk in the mobile ecosystem.
VNC Remote Control and Direct Theft from Banking Apps
Once Sturnus has established control, its operators can initiate a VNC session, giving them full interactive access to the device. They can tap buttons, enter text, scroll content, switch apps, modify settings, and install additional payloads as though they were the legitimate user.
During critical stages of fraud, the malware can display a black overlay to obscure real activity from the victim. While this overlay is visible, attackers can open banking apps, initiate and approve transfers, change transaction limits and security options, or register new devices and online banking sessions – all while the user believes the phone is idle or frozen.
The trojan also requests device administrator privileges, which makes removal significantly more difficult. As long as administrator rights are granted, standard uninstallation and even removal via ADB can be blocked. Users must manually revoke these privileges, a step many victims either overlook or perform too late.
Targeted Regions and Financial Institutions
According to ThreatFabric, Sturnus is currently focused on European financial institutions. It uses localized overlay templates tailored to the interfaces of regional banking and payment applications, increasing the success rate of social engineering and fraudulent transactions.
Most observed activity so far has been in Central and Southern Europe, with relatively limited campaign scale. This pattern suggests that the operators may still be testing their infrastructure, distribution methods, and monetization workflows before scaling up – a strategy seen previously with other Android banking malware families.
How to Protect Against Android Banking Trojans Like Sturnus
Mitigating the risk posed by Sturnus and similar Android banking trojans requires a combination of technical controls and user awareness:
1. Install apps only from trusted sources. Keep installation from unknown sources disabled and avoid downloading APKs from links in SMS, email, messengers, or social media, even if they appear to come from official brands.
2. Monitor Accessibility and device admin permissions. Regularly review which apps have access to Accessibility Services and administrator rights. Any unfamiliar or suspicious app with such privileges should trigger immediate investigation and likely removal.
3. Use reputable mobile security solutions. Mobile antivirus or EDR tools cannot guarantee full protection, but they significantly improve the chances of detecting privilege escalation attempts, malicious overlays, and connections to known C2 infrastructure.
4. Invest in security awareness training. Organizations should educate employees about mobile phishing tactics, malicious APK examples, and the risks of granting Accessibility permissions to untrusted apps, as compromised personal devices can quickly become an entry point for corporate fraud.
The rise of Sturnus underlines how modern Android banking trojans now blend credential theft, spyware, and remote administration into a single toolset. Relying solely on secure messaging or banking apps is no longer sufficient. Building strong mobile security today means hardening endpoints, enforcing strict app installation policies, and deploying continuous monitoring and incident response capabilities that treat smartphones with the same seriousness as traditional workstations.
