Cybersecurity experts are warning about a new Android malware called Sturnus that can steal people’s money and personal data. Instead of breaking encryption, this Android malware misuses Accessibility Services on Android to read messages, contact lists, and other private information from apps like WhatsApp, Telegram, and Signal. It can also pretend to be real apps such as Google Chrome or Premix Box so users may install it without realizing.
Once it gets into a phone, Sturnus can steal bank login details using fake login pages or make hidden money transfers by showing a fake “black screen” while it works in the background. It’s very hard to remove, blocks attempts to uninstall it, and constantly watches the device to avoid being caught. Although it is mainly affecting Europe right now, experts say everyone should be careful: only download apps from trusted sources, check app permissions, and keep your device updated to stay safe.
Sturnus does not directly hack the encryption of messaging apps. Instead, it abuses Android’s Accessibility Services to read messages displayed on the screen after being decrypted by the application. This allows it to monitor conversations, contact lists, and other sensitive information in real time. The malware can also track which app is currently open and automatically collect information when it detects apps like WhatsApp, Telegram, or Signal.
Sturnus can masquerade as real applications such as Google Chrome or Preemix Box, enticing users into installing it without even realising it might be malicious.
Also read: iOS 27 rumoured features: What to expect from Apple’s next big update
Experts have warned that Sturnus may commit financial fraud in two major ways. First, there are fake login screens: the malware superimposes a sham bank login page over the legitimate app. Users enter their credentials, including usernames and passwords, and that information is captured by the attackers to directly access the victim’s accounts. The second is the black screen attack. Using remote hacking, attackers can activate a black screen on the device that is targeted, making it appear as though the phone has been turned off. While this is happening, the attackers continue to operate the device in the background, conducting unauthorized transactions without the user knowing.
Also read: iQOO 15 with Snapdragon 8 Elite Gen 5 launched in India: Check price and specifications
Sturnus is intended to stay on a device for a long time. It leverages administrator privileges to block any uninstallation efforts, while battery, sensor, and network activity monitoring are in place to detect if the malware is being analysed. If a user tries to remove it, the malware instantly blocks such an action. Experts characterise the virus as extremely resilient and capable of concealing its activity, making its detection by standard means of security impossible.
Also read: Qualcomm announces Snapdragon 8 Gen 5 SoC, to debut with OnePlus 15R on Dec 17
The cybersecurity experts recommend the following steps to avoid falling victim to Sturnus:
While this malware currently targets Europe, Indian users, too, need to be aware that similar attacks can spill over globally.