Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices

The Hacker News by The Hacker News
November 20, 2025
Home Cybersecurity
Share on FacebookShare on Twitter


Nov 20, 2025Ravie LakshmananMalware / Mobile Security

Cybersecurity researchers have disclosed details of a new Android banking trojan called Sturnus that enables credential theft and full device takeover to conduct financial fraud.

“A key differentiator is its ability to bypass encrypted messaging,” ThreatFabric said in a report shared with The Hacker News. “By capturing content directly from the device screen after decryption, Sturnus can monitor communications via WhatsApp, Telegram, and Signal.”

Another notable feature is its ability to stage overlay attacks by serving fake login screens atop banking apps to capture victims’ credentials. According to the Dutch mobile security company, Sturnus is privately operated and is currently assessed to be in the evaluation stage. Artifacts distributing the banking malware are listed below –

  • Google Chrome (“com.klivkfbky.izaybebnx”)
  • Preemix Box (“com.uvxuthoq.noscjahae”)
DFIR Retainer Services

The malware has been designed to specifically single out financial institutions across Southern and Central Europe with region-specific overlays.

The name Sturnus is a nod to its use of a mixed communication pattern blending plaintext, AES, and RSA, with ThreatFabric likening it to the European starling (binomial name: Sturnus vulgaris), which incorporates a variety of whistles and is known to be a vocal mimic.

The trojan, once launched, contacts a remote server over WebSocket and HTTP channels to register the device and receive encrypted payloads in return. It also establishes a WebSocket channel to allow the threat actors to interact with the compromised Android device during Virtual Network Computing (VNC) sessions.

Besides serving fake overlays for banking apps, Sturnus is also capable of abusing Android’s accessibility services to capture keystrokes and record user interface (UI) interactions. As soon as an overlay for a bank is served to the victim and the credentials are harvested, the overlay for that specific target is disabled so as not to arouse the user’s suspicion.

Furthermore, it can display a full-screen overlay that blocks all visual feedback and mimics the Android operating system update screen to give the impression to the user that software updates are in progress, when, in reality, it allows malicious actions to be carried out in the background.

Some of the malware’s other features include support for monitoring device activity, as well as leveraging accessibility services to gather chat contents from Signal, Telegram, and WhatsApp, as well as send details about every visible interface element on the screen.

This allows the attackers to reconstruct the layout at their end and remotely issue actions related to clicks, text input, scrolling, app launches, permission confirmations, and even enable a black screen overlay. An alternate remote control mechanism packed into Sturnus uses the system’s display-capture framework to mirror the device screen in real-time.

“Whenever the user navigates to settings screens that could disable its administrator status, the malware detects the attempt through accessibility monitoring, identifies relevant controls, and automatically navigates away from the page to interrupt the user,” ThreatFabric said.

CIS Build Kits

“Until its administrator rights are manually revoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection against cleanup attempts.”

The extensive environment monitoring capabilities make it possible to collect sensor information, network conditions, hardware data, and an inventory of installed apps. This device profile serves as a continuous feedback loop, helping attackers adapt their tactics to sidestep detection.

“Although the spread remains limited at this stage, the combination of targeted geography and high-value application focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations,” ThreatFabric said.



Source link

Tags: computer securitycyber attackscyber newscyber security newscyber security news todaycyber security updatescyber updatesdata breachhacker newshacking newshow to hackinformation securitynetwork securityransomware malwaresoftware vulnerabilitythe hacker news
The Hacker News

The Hacker News

Next Post
CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat

CTM360 Exposes a Global WhatsApp Hijacking Campaign: HackOnChat

Recommended.

An AI Image Generator’s Exposed Database Reveals What People Really Used It For

An AI Image Generator’s Exposed Database Reveals What People Really Used It For

March 31, 2025
Slam dunk? Fundstrat’s Tom Lee considers two new themes for his Granny Shots ETF

Slam dunk? Fundstrat’s Tom Lee considers two new themes for his Granny Shots ETF

July 3, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio