Security analysts at ThreatFabric have uncovered a new Android banking trojan with capabilities that place it well ahead of many existing malware families. The trojan, named Sturnus, is still in testing but already targets financial institutions across Southern and Central Europe. Researchers believe this setup signals an upcoming large-scale campaign. Sturnus has advanced communication methods, broad device support and sophisticated anti-analysis behaviour, making it particularly dangerous.
The malware’s name comes from Sturnus vulgaris, or the European Starling, known for its rapid and irregular vocal patterns. ThreatFabric says the malware’s communication protocol mirrors that unpredictability, frequently switching between simple and complex message structures.
Sturnus does not break end-to-end encryption directly. Instead, it exploits Android’s Accessibility Services to read decrypted content displayed on the phone. Once enabled, it can capture messages from apps such as WhatsApp, Telegram and Signal by scanning what appears on the screen. It monitors whichever app is in the foreground and automatically collects UI data whenever an encrypted messaging service is opened. This gives the operators full visibility into conversations, contacts and real-time message activity.
The malware disguises itself as legitimate apps, including labels such as Google Chrome or Preemix Box, to trick users into installing it. Once active, Sturnus focuses on stealing banking credentials through two primary methods. The first involves overlaying a fake login page on top of a real banking app, collecting usernames and passwords as users type them. The second is known as a Black Screen attack. During this attack, the device appears to be switched off or asleep, but in reality the malware is executing transactions in the background, allowing attackers to drain accounts without the victim noticing.
ThreatFabric warns that Sturnus is engineered to remain on the device for as long as possible. It uses administrator privileges to block uninstallation attempts and monitors device conditions such as battery levels, sensor activity and network status to detect whether it is under analysis. If it suspects scrutiny, it hides its operations. When users attempt to revoke permissions or remove the app, Sturnus intercepts the action and automatically navigates back, preventing any changes.
Discover the latest Business News, Sensex, and Nifty updates. Obtain Personal Finance insights, tax queries, and expert opinions on Moneycontrol or download the Moneycontrol App to stay updated!
