New Android banking malware ‘Sturnus’ hacks phones

Gregory Zuckerman
By Gregory Zuckerman
Technology
8 Min Read

An under-the-radar Android banking trojan, dubbed Sturnus, is gaining control of users’ devices, in some cases spying on secure chat communications and executing various financial-related attacks without detection. Discovered by MTI Security and analysed with help from ThreatFabric, the malware is already operating across parts of South and Central Europe including Italy, Germany, and Spain, reflecting an unusually high base level of sophistication in a crime strain that has yet to become fully developed.

Instead of using old-fashioned keyloggers, Sturnus relies on Android’s own potent accessibility features and overlay permissions to monitor your screen, read text, and simulate touches. That enables attackers to impersonate banking app interfaces with carefully pixel-matched HTML overlays, and collect logins, PINs, and one-time codes. It can also pretend to be a system update window, concealing what it’s doing in the open.

Table of Contents
A hooded figure, representing a hacker, sits behind a laptop with the Android logo on the screen. Surrounding the figure are icons for WhatsApp and Telegram, along with two broken padlock symbols, all against a light blue background.

How the Sturnus trojan operates on infected devices

The infection begins with a sideloaded APK — typically masquerading as a well-known app like a browser or even an Android component itself. After it’s installed, Sturnus aggressively prompts for Accessibility Service privileges and “Display over other apps” permissions. From there, it has a real-time view of on-screen content, allowing it to snoop into conversations via apps such as WhatsApp and Signal without having to bust encryption — because all it’s doing is reading what gets shown on your screen.

From there, Sturnus creates authentic-looking banking overlays to capture credentials, forces the interface to make transfers, and can control the device remotely. It escalates by grabbing device admin privileges, and setting itself up so it can’t easily be removed and can lock the phone, or intercept attempts to unlock the phone. Researchers also observed one defensive maneuver: the malware creates a 256-bit AES key on the device, and it communicates back to command-and-control servers using mishmash cryptography (RSA and AES), making network-based discovery more difficult.

Why it gets by Android defenses and safeguards

Sturnus doesn’t rely on a kernel bug or root your phone. It leverages social engineering to acquire potent permissions that are among those requested by legitimate apps for accessibility or floating windows. Since the malicious UI overlays mimic real banking screens or system dialogs, users might not realize that anything is amiss. The malware’s admin privileges leave users unable to attempt an uninstall, and the app can resist removal over ADB, requiring a full reset in some cases.

“Play Protect has scanned over 100 billion apps for malware and other issues every day, all while running seamlessly in the background of your Android device,” the company said. “And with nearly 2.9 billion monthly active devices, Play Protect enables new app experiences that drive engagement and conversions.”

Last year, Google’s Play Protect detected more than 2.28 million policy-violating apps from potentially harmful developers on Google Play; it scans billions of installed apps and around 400 million devices. Sideloaded APKs through third-party stores are a high-risk entry point.

A hooded figure, representing a hacker, sits behind a laptop with the Android logo prominently displayed. Surrounding the figure are icons for WhatsApp and Telegram, along with two broken padlock symbols, suggesting compromised security.

With phishing campaigns or by social engineering a user to install an app from a message’s attachment, download site, or source and then approve fast-appearing accessibility prompts, even well-locked-down devices can be instantly hijacked.

Who Sturnus targets across Europe and financial apps

ThreatFabric’s early telemetry locates campaigns in South and Central Europe, but banking trojans typically spread quickly once operators optimize distribution. The targets are obvious: mobile banking and finance apps, cryptocurrency wallets, and any messaging platform that can be used for social engineering. Sturnus reads the screen and simulates interfaces; so standard chat encryption or app sandboxing only provide minimal protection.

How to protect yourself from the Sturnus malware

  • Avoid sideloading. Only install apps from reputable markets. Be wary of any notification to mount an update from a website, pop-up window, or messaging app — system updates need to go through Settings. Configure them there.
  • Lock down Accessibility. Check Accessibility Services and “Display over other apps.” Do not enable any service that you don’t recognize or want. A real app should work without ever-present, blanket accessibility access.
  • Harden installation paths. Turn off “Install unknown apps” for browsers and messaging apps. Keep Play Protect turned on and consider a second reputable mobile security suite to analyze sideloaded packages and identify overlay behavior.
  • Update aggressively. Keep your Android security and Google Play system updates installed. Many malware families rely on legacy APIs and lenient permission models that newer builds inhibit.
  • Practice banking hygiene. Activate 2FA, transaction alerts, and in-app notifications. If this all looks a bit odd, or your in-app banking screen suddenly changes shape and demands not only your full card PAN number but also an entire personal identification number — and the app won’t let you switch out to do anything else — stop and contact your bank by another method.
  • Know the cleanup steps. If you suspect an infection, disconnect from Wi‑Fi and mobile data, then go to Settings > Security > Device admin apps to revoke rights from any admin applications that look suspect. Boot into safe mode and remove the offending app. If removal is prevented, or the issue persists, back up important contents and perform a factory data reset. Then change your banking passwords, revoke app tokens, and ask your bank to monitor or freeze affected accounts.

Enterprise controls for managing mobile threats

For enterprises, enforce MDM policies that do not allow sideloading, block access and overlay permissions, and mandate Play Integrity checks. Likewise, banking apps may harden against overlays by identifying phantom windows and forcing re-authentication when these additional displays are visible.

The bottom line on Sturnus and Android banking risks

Sturnus is a reminder that the most pernicious Android malware of today behaves like a user, not a hacker — staring at screens, tapping buttons, and emulating trusted interfaces.

Until distribution is universally stamped out, the best defense is simple: don’t install what you didn’t go looking for, read permission prompts skeptically, and treat any unexpected “update” window as hostile until proven otherwise.

Gregory Zuckerman
ByGregory Zuckerman
Gregory Zuckerman is a veteran investigative journalist and financial writer with decades of experience covering global markets, investment strategies, and the business personalities shaping them. His writing blends deep reporting with narrative storytelling to uncover the hidden forces behind financial trends and innovations. Over the years, Gregory’s work has earned industry recognition for bringing clarity to complex financial topics, and he continues to focus on long-form journalism that explores hedge funds, private equity, and high-stakes investing.
Latest News