A newly uncovered Android banking trojan known as Sturnus has been found to bypass the security of encrypted messaging apps such as WhatsApp, Telegram, and Signal by capturing message content directly from the device screen after decryption.

Although currently in early testing, the malware is fully functional and equipped with extensive features, including credential theft and complete remote control of infected devices. Researchers at ThreatFabric detected Sturnus in attacks targeting financial institutions across Southern and Central Europe. The trojan offers phishing overlays, accessibility-based keylogging, environmental monitoring, and VNC-based remote control. It is designed for stealth, concealing itself with black screen overlays and using administrator-level privileges to prevent removal.

Figure 1. Sturnus Android Malware.

Intercepting Encrypted Messages

Sturnus’ most concerning capability is its method of circumventing end-to-end encryption. Instead of breaking encryption protocols, it exploits Android’s Accessibility Services to monitor screen content after messages are decrypted and displayed. When apps like WhatsApp, Telegram, or Signal are opened, the malware triggers a UI-data capture mechanism that reads all visible screen information—including sender details, messages, and timestamps—in real time. Since the interception happens locally on the device, encryption provides no protection, allowing attackers to view private conversations without alerting the user. Figure 1 shows Sturnus Android Malware.

Credential Theft & Device Takeover

Beyond spying on messaging apps, Sturnus includes a full set of banking-malware tools. It can deploy HTML-based phishing overlays customized for specific banks to steal login credentials [1]. It logs every interaction via Accessibility events, enabling detailed reconstruction of user activity, even when screen-capture protections are active.

The malware also supports dual remote-access modes: real-time display sharing using Android’s screen capture API, and a low-bandwidth interaction mode that manipulates UI elements to perform actions such as entering text or executing transactions—often under the cover of a black screen.

Protection Measures

To defend against Sturnus:

• Avoid sideloading apps or APKs from unknown sources.
• Regularly review which apps have Accessibility Service permissions.
• Use Google Play Protect to scan for and remove known threats.

References:

1. https://cyberinsider.com/sturnus-android-malware-spies-on-encrypted-signal-whatsapp-chats/

Cite this article:

Keerthana S (2025), Sturnus Android Malware Can Eavesdrop on Encrypted Signal and WhatsApp Conversations, AnaTechMaz, pp.335