A new Android banking trojan called Sturnus has been discovered, allowing attackers to steal credentials and take control of devices for financial fraud. Developed by a Dutch mobile security company, Sturnus bypasses encrypted messaging apps and stages overlay attacks on banking apps to capture user information.
The malware targets financial institutions in Southern and Central Europe with region-specific overlays. It communicates with a remote server over WebSocket and HTTP channels to receive encrypted payloads and register the device. Sturnus also abuses Android’s accessibility services to capture keystrokes and record user interface interactions.
Once launched, Sturnus displays a full-screen overlay that blocks visual feedback, mimicking an operating system update screen. This allows malicious actions to be carried out in the background while keeping the user unaware. The malware can monitor device activity, gather chat contents from messaging apps, and even remotely issue actions on the device.
Sturnus is designed to adapt its tactics based on the device’s environment, making it challenging to detect. While its spread remains limited, the attackers are refining their tooling ahead of broader operations.
Source: https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html