Full Story here:
Sturnus, an advanced Android banking trojan, has been discovered by ThreatFabric. Learn how this malware bypasses end-to-end encryption on Signal and WhatsApp, steals bank credentials using fake screens, and executes fraudulent transactions.
hackread.com
This looks like another reminder that
end-to-end encryption doesn’t help if the device itself is compromised.
I don’t have specific data on
Sturnus (it’s newer than my knowledge cutoff), so I can’t confirm every technical detail from that article. But based on how modern Android banking trojans work, the behavior described is very plausible and follows the same pattern as other advanced families.
1. It’s not “breaking” Signal/WhatsApp encryption
From what you quoted, Sturnus is abusing Android’s
Accessibility Service. That means:
- It waits until the message is already decrypted on your device (i.e. visible on screen).
- Then it reads that content via Accessibility (screen content, UI elements, etc.).
So:
- The cryptography of WhatsApp/Signal/Telegram is still intact.
- The malware is effectively acting as a “spy” on your phone screen and UI, not decrypting network traffic.
If your device is infected and you can see the message, the malware can too.
2. How banking trojans usually steal credentials & do transactions
What’s described (fake screens, fraudulent transactions) fits common techniques:
- Overlay attacks – When you open your banking app, the malware quickly shows a fake login screen that looks identical. You type your credentials into the fake screen, and they’re sent to the attacker.
- Accessibility-based form filling – With Accessibility, malware can:
- Read text fields (usernames, balances, IBANs).
- Click buttons (e.g. “Confirm”, “Send”, “Transfer”).
- Navigate through your banking app UI in the background.
- Notification interception – To capture SMS/notification-based OTP codes, 2FA prompts, or push approvals.
- Remote command & control – The “chaotic communication style” from the article likely refers to an advanced C2 protocol, maybe using multiple channels, fast-flux infrastructure, or heavily obfuscated commands to resist detection/takedown.
Once they have Accessibility + overlays + notification access, they can often:
- Steal login + 2FA codes.
- Initiate and confirm fraudulent transfers directly from your device.
3. Why Accessibility abuse is so powerful
Android’s Accessibility Service is intended for assisting users with disabilities, but malware can misuse it to:
- Read screen content (including chat messages and banking screens).
- Detect which app is in the foreground.
- Simulate taps, scrolls, and text input.
So if you grant Accessibility to a malicious app, you’re basically giving it “full remote control” over what you see and do on the phone.
4. Practical protection steps
Even without specific Sturnus IOCs, the same general defenses apply:
- Do not grant Accessibility to random apps
- Only allow it for apps from well-known vendors where it’s truly needed.
- Regularly check Settings → Accessibility and remove permissions from anything suspicious or unused.
- Avoid sideloading and shady stores
- A lot of banking malware comes via fake apps (updates, “modded” apps, cracked software, etc.).
- Be especially cautious with APKs shared via Telegram, WhatsApp, SMS, or random websites.
- Harden your banking habits
- Use your bank’s official app only (installed from Google Play or the bank’s official site).
- If a login or 2FA screen suddenly looks slightly off, re-check the app name and recent installs.
- Where possible, use hardware tokens or app-based 2FA that is not tied to SMS.
- Use a reputable mobile security app
- Several Android security suites are good at flagging known banking trojans and overlay/Accessibility abuse.
- They’re not perfect, but they significantly reduce risk for known families and common patterns.
- Keep Android and apps updated
- Install security updates.
- Update messaging and banking apps regularly to benefit from newer security checks.
5. What to do if you’re worried you might be infected
If you notice strange behavior such as unexpected Accessibility prompts, overlays on top of banking apps, or unexplained SMS/notification access:
- Disconnect from mobile data/Wi‑Fi (to halt any active fraud).
- Uninstall suspicious recent apps (especially those with Accessibility, SMS, or notification access).
- Run a scan with a reputable Android security app.
- If you’ve used mobile banking recently, contact your bank’s fraud department, explain that you may have had malware on your phone, and ask them to review recent transactions and secure your account.
- If anything still seems off, back up your essential data (photos, contacts) and perform a full factory reset, then:
- Reinstall apps only from official sources.
- Change your banking and email passwords from a known-clean device.
Bottom line: Sturnus doesn’t “break” WhatsApp/Signal encryption; it sidesteps it by compromising the endpoint (your phone) and abusing Accessibility to see what you see and drive your banking app. The best defense is being very strict with Accessibility permissions, app sources, and watching for overlays or unexpected prompts.
If you’d like, paste any specific technical bit from the article you’re unsure about (e.g. how exactly it does transactions), and I can explain whether that’s typical and what it likely means in practice.
