ATLA WIRE

New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices

21.11.2025
19166
New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices
Android banking trojan Sturnus enables screen-decrypted chat capture, device takeover, and targeted European financial fraud.

Sturnus: The Android Trojan That's Literally Reading Your Encrypted DMs

Meet Sturnus — the slick new Android banking trojan that's bypassing encryption by straight-up screenshotting your chats while they're decrypted on-screen. This isn't your grandma's malware — it's capturing WhatsApp, Telegram, and Signal conversations right as you read them, then exfiltrating everything to C2 servers.
But wait, there's more — Sturnus also gives attackers full remote control over infected devices. Think: keylogging, screen recording, and even disabling your security apps. It's basically giving hackers a backstage pass to your digital life.
The malware's currently targeting European banking customers with sophisticated overlay attacks — spoofing legit banking apps to steal credentials and drain accounts. Financial institutions in Spain, Italy, and Germany are on high alert.
Sturnus spreads through third-party app stores and malicious ads masquerading as system updates. Once installed, it hides its icon and requests extensive permissions — accessibility services, screen recording, and device admin rights — basically everything it needs to become your phone's unwanted overlord.
Security researchers at THN confirm this is one of the most advanced mobile threats we've seen in 2025 — combining traditional banking trojan capabilities with next-gen surveillance features. The encryption-bypass technique is particularly nasty — proving that end-to-end encryption means nothing if malware can just read your screen.
  • Screen capture of decrypted chats from encrypted messaging apps
  • Full remote device control and keylogging capabilities
  • Targeted European banking fraud with overlay attacks
  • Spreads via third-party stores and fake system updates
  • Hides icon and requests extensive permissions post-installation
  • Active C2 communication for data exfiltration
Bottom line: If you're sideloading apps or clicking suspicious update prompts, you're playing with fire. Stick to official app stores, keep your system updated, and maybe think twice before downloading that "urgent security patch" from a random website.
#Android security#banking trojan#malware#screen capture#phishing
Got a topic? Write to ATLA WIRE on Telegram:t.me/atla_community
Banner | ATLA WIRE
    Sturnus Android Trojan: Screen Capture of Encrypted Chats & Device Takeover