Sturnus is an advanced Android banking trojan recently disclosed by cybersecurity researchers, notable for its capability to bypass encrypted messaging protections and conduct comprehensive device hijacking. Unlike typical malware that intercepts messages before encryption or after decryption on servers, Sturnus captures decrypted chat content directly from the device screen, enabling it to monitor communications on WhatsApp, Telegram, and Signal despite their end-to-end encryption. The trojan employs overlay attacks by displaying fake login screens over legitimate banking apps, specifically targeting financial institutions in Southern and Central Europe with region-specific overlays to harvest user credentials. It leverages Android's accessibility services to capture keystrokes, monitor UI elements, and record user interactions, allowing attackers to remotely reconstruct the device interface and issue commands such as clicks, text input, scrolling, and permission confirmations. Sturnus establishes persistent communication channels with its command and control servers via WebSocket and HTTP, facilitating encrypted payload delivery and remote control through Virtual Network Computing (VNC) sessions. To evade detection and removal, it maintains device administrator privileges, preventing uninstallation through normal means or ADB tools, and detects user attempts to revoke these rights, automatically navigating away from relevant settings screens. The malware also uses deceptive full-screen overlays mimicking Android system update screens to conceal malicious background activities. Additionally, it collects detailed device telemetry including sensor data, network conditions, hardware information, and installed apps, enabling attackers to tailor their tactics dynamically. Although currently assessed as medium severity and limited in spread, Sturnus is in an evaluation phase, indicating potential for broader deployment. Its sophisticated evasion, targeted overlays, and ability to bypass encrypted messaging protections mark it as a significant threat to Android users, particularly those interacting with financial services in Europe.

For European organizations, especially financial institutions and their customers, Sturnus presents a substantial risk. The trojan’s ability to bypass encrypted messaging apps undermines the confidentiality of sensitive communications, exposing personal and financial data that users assume to be secure. Credential theft via overlay attacks can lead to unauthorized access to banking accounts, facilitating fraudulent transactions and financial losses. Full device takeover capabilities allow attackers to manipulate devices remotely, potentially bypassing multi-factor authentication and other security controls. The malware’s persistence mechanisms complicate incident response and remediation efforts, increasing downtime and recovery costs. The targeted nature of overlays for Southern and Central European banks suggests a focused campaign that could disrupt regional financial ecosystems and erode trust in digital banking platforms. Additionally, the malware’s capability to monitor device activity and sensor data could lead to broader espionage or surveillance risks. Organizations may face regulatory repercussions under GDPR if customer data is compromised. Overall, Sturnus threatens the integrity, confidentiality, and availability of critical financial services and user data within Europe.

European organizations should implement multi-layered defenses tailored to combat Sturnus’s advanced techniques. First, enforce strict application whitelisting and restrict installation of apps from untrusted sources to reduce infection vectors. Deploy mobile threat defense (MTD) solutions capable of detecting overlay attacks, accessibility abuse, and suspicious WebSocket communications. Encourage users to disable accessibility permissions for non-essential apps and regularly audit granted permissions. Financial institutions should implement behavioral analytics to detect anomalous login patterns and transaction behaviors indicative of fraud. Employ app hardening techniques such as certificate pinning and runtime integrity checks to prevent overlay injection. Educate users about the risks of sideloading apps and recognizing fake login screens. Incident response teams must be prepared for persistent malware that resists uninstallation by developing procedures to revoke device administrator rights via safe modes or factory resets. Collaborate with mobile OS vendors to monitor and block malicious app signatures. Finally, enhance monitoring of network traffic for unusual WebSocket or VNC activity and maintain up-to-date threat intelligence feeds focusing on emerging Android banking trojans.