Full Report
The malware can monitor everything displayed on a phone in real time — including contacts, full message threads and the content of encrypted chats — by accessing data after it has been decrypted by legitimate apps.
Analysis Summary
# Tool/Technique: Sturnus
## Overview
Sturnus is a newly identified Android banking trojan capable of intercepting sensitive user data, including contacts, full message threads, and the content of encrypted chats, by accessing the data *after* it has been decrypted by legitimate applications. It is designed to steal banking credentials and provides attackers with near-total remote control over infected devices.
## Technical Details
- Type: Malware (Banking Trojan)
- Platform: Android
- Capabilities: Real-time content monitoring (including decrypted encrypted chats), injection of text, observation of user activity, execution of transactions, display of convincing fake login screens (overlays).
- First Seen: Information suggests the malware was identified by ThreatFabric around November 2025, but is still considered in development or limited testing.
## MITRE ATT&CK Mapping
The capabilities described primarily map to actions related to credential access and execution on a mobile device.
- **TA0006 - Credential Access**
- T1003 - OS Credential Dumping (Applied conceptually to accessing decrypted data structures)
- **TA0002 - Execution**
- T1486 - Screen Capture (Implied by monitoring everything displayed)
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information (Through the use of overlays to hide malicious activity)
- **TA0011 - Command and Control**
- T1433 - Ingress Tool Transfer (Implied for receiving initial instructions/updates)
*(Note: Specific T-numbers for mobile are often T14xx; standard enterprise T-numbers are used here as direct mobile mappings for this specific functionality were not explicitly provided in the source material.)*
## Functionality
### Core Capabilities
- Stealing banking credentials via convincing fake login screens.
- Monitoring all screen activity in real time.
- Stealing contacts and full message threads.
- Intercepting content from encrypted messaging apps (WhatsApp, Telegram, Signal) after decryption by the host app.
### Advanced Features
- **Decrypted Content Access:** Accessing data *after* it has been decrypted by legitimate applications (a highly privileged access method).
- **Overlay Attacks:** Injecting text, observing user behavior, and executing financial transactions while displaying a transparent or black full-screen overlay to conceal operations from the victim.
- **Targeted Preparation:** Already configured with banking templates targeting banks in Southern and Central Europe.
## Indicators of Compromise
*Note: The article does not provide specific IOCs, only research observations.*
- File Hashes: [Not available in source]
- File Names: [Not available in source]
- Registry Keys: [Not applicable for Android, but configuration files/directories would host data]
- Network Indicators: [Not available in source] - Likely communications with C2 infrastructure for command execution and data exfiltration.
- Behavioral Indicators: Displaying full-screen overlays during banking sessions; unauthorized data access requests matching high-value applications (messaging, contacts).
## Associated Threat Actors
- Unattributed; discovered by ThreatFabric. The targeted geography suggests actors preparing for campaigns focused on Southern and Central European financial institutions.
## Detection Methods
- Signature-based detection: Requires signatures developed after analysis of the Sturnus binaries.
- Behavioral detection: Monitoring for applications that request excessive accessibility permissions or display overlays over high-priority financial/messaging applications. Monitoring attempts to access recently decrypted application memory payloads.
- YARA rules: [Not available in source]
## Mitigation Strategies
- Prevention measures: Restricting installation of applications from sources other than the Google Play Store; demanding strong multi-factor authentication on all banking applications.
- Hardening recommendations: Regularly review and revoke accessibility and screen overlay permissions granted to suspicious or non-essential third-party applications. Keep the Android OS updated to patch potential security vulnerabilities that malware could exploit for high-level access.
## Related Tools/Techniques
- **Herodotus:** A separate Android strain that mimics human behavior to evade detection.
- **Crocodilus:** An Android trojan used for taking full remote control of phones to steal funds.
- Standard Android Banking Trojans utilizing overlay attacks and accessibility features for credential harvesting.