BEWARE: New Android Malware Can Read Your Chats And Drain Your Bank Account

A newly discovered Android banking trojan known as Sturnus is emerging as one of the most dangerous mobile threats seen in recent years. Although it is still under development, cybersecurity experts say it already operates with the sophistication of a fully mature malware operation.

Once installed on a device, Sturnus can seize control of the screen, harvest banking login details, and read private messages from popular apps. What makes it especially alarming is how quietly it functions. Users may assume their conversations are protected by end-to-end encryption, but the malware simply waits until the phone decrypts the messages and then captures them in plain text.

Researchers stress that Sturnus does not crack encryption itself. Instead, it exploits the moment after apps decrypt messages locally, allowing it to collect conversations without triggering obvious alarms.

According to cybersecurity firm ThreatFabric, Sturnus uses multiple attack layers that give operators near-total visibility into an infected phone. It deploys fake screens that closely imitate legitimate banking apps, tricking victims into entering their credentials. Everything typed into these overlays is instantly transmitted to attackers. The malware also abuses Android’s Accessibility Service to log keystrokes, track which apps are open, and map every element displayed on the screen, even when screenshots are blocked.

Beyond banking apps, Sturnus actively monitors messaging platforms such as WhatsApp, Telegram, and Signal. It captures messages the moment they appear on the screen after being decrypted. While the messages remain encrypted in transit, the malware can see entire conversations once they are displayed. It also includes powerful remote-control tools, enabling attackers to stream the screen live or silently manipulate the interface by injecting taps, scrolling, text input, and permission approvals without the user noticing.

To stay hidden, Sturnus aggressively defends itself by obtaining Device Administrator privileges and blocking removal attempts. If a user navigates to settings to disable those permissions, the malware detects the action and forces the screen away before changes can be made. It also tracks battery levels, SIM changes, network conditions, developer mode, and signs of forensic analysis, adjusting its behavior accordingly. Communications with its command-and-control servers are protected using RSA and AES encryption.

When it comes to stealing money, Sturnus offers attackers multiple options. It can collect credentials through overlays, keylogging, screen monitoring, and direct text injection. In some cases, it blacks out the victim’s screen entirely while fraudulent transactions are carried out in the background, leaving users unaware until the damage is done.

Security experts recommend several steps to reduce the risk of infection. These include installing apps only from trusted sources, scrutinizing permission requests—especially Accessibility and Device Administrator access—keeping devices fully updated, and using reputable antivirus software. Users are also urged to treat unusual login screens as warning signs, avoid clicking unexpected links or attachments, and consider personal data removal services to limit exposure from leaked or brokered information.

Despite being a relatively new malware family, Sturnus already stands out for its depth of control and stealth. By bypassing the practical protections of encrypted messaging, maintaining persistence on devices, and offering attackers multiple fallback methods for financial theft, it represents a serious and evolving threat. If it spreads more widely, experts warn it could become one of the most damaging Android banking trojans currently in circulation.