New Android malware can capture private messages, researchers warn

Steven

New Android malware can capture private messages, researchers warn

Summary

Researchers at ThreatFabric have identified a new Android banking trojan called Sturnus. The malware can intercept and capture content from messaging apps — including WhatsApp, Telegram and Signal — by reading data after it has been decrypted by legitimate apps. Sturnus also uses convincing fake login screens to steal banking credentials, can inject text, observe user activity and run transactions while hiding activity behind a full-screen overlay. Although currently limited and likely in testing, it contains templates targeting banks in Southern and Central Europe and is reportedly more advanced in some respects than existing families.

Key Points

  • Sturnus is a banking trojan that captures on-screen content in real time, including decrypted messages from apps like WhatsApp, Telegram and Signal.
  • The malware steals credentials with realistic fake login screens and can execute transactions while hiding activity behind a black full-screen overlay.
  • Capabilities include screen monitoring, contact and full-thread capture, text injection and remote device control behaviours.
  • ThreatFabric says Sturnus appears to be in development or limited testing but is already configured with bank-specific templates for Southern and Central Europe.
  • Although spread is limited now, its advanced features and targeted geography suggest attackers are refining tooling for wider operations.
  • Sturnus joins a recent wave of Android banking trojans (for example, Herodotus and Crocodilus) that focus on evasion and remote control of devices.

Content summary

ThreatFabric publicly disclosed Sturnus, detailing how the trojan hooks into device display/data flows to capture information once apps have decrypted it. The malware can impersonate legitimate login screens to harvest banking credentials and perform fraudulent operations while masking the activity from the user with overlays. Currently seen with templates for banks in parts of Europe, Sturnus appears functional but likely still being refined by its operators.

The discovery is part of ongoing reporting about increasingly sophisticated Android banking trojans that mimic human behaviour or take full device control to steal funds and credentials.

Context and relevance

This is notable because it bypasses app-level protections by capturing data after decryption, rather than breaking encryption itself. For security teams, app developers and Android users, it highlights that strong transport or end-to-end encryption isn’t enough if malware can access data post-decryption on-device. The regionally targeted bank templates indicate planned fraud campaigns rather than random opportunistic attacks.

Author’s take

Punchy: this is a neat but nasty escalation — attackers are shifting to tools that exploit the moment apps decrypt data on your phone. If you’re responsible for mobile security or banking apps, read the full report to see the tactics and mitigations; it’s relevant now, not just theoretical.

Why should I read this?

Short and simple — if you use Android, manage mobile banking apps, or work in security: pay attention. This malware shows how attackers can sidestep encryption by harvesting data after it’s decrypted on-device, making familiar protections insufficient on their own. The article saves you time by flagging a fast-evolving threat and pointing to where it’s likely to strike next.

Source

Source: https://therecord.media/new-android-malware-captures-private-messages