New Android Trojan ‘Sturnus’ Lets Hackers Read Encrypted Messages From Signal, Telegram and WhatsApp
A newly discovered Android banking trojan is alarming cybersecurity experts after researchers confirmed it can capture the content of encrypted messages displayed on a smartphone screen, effectively bypassing protections used by secure messaging apps such as Signal, Telegram and WhatsApp. The malware, known as Sturnus, is still in a development or limited testing phase, but analysts warn it represents one of the most dangerous mobile threats in circulation.
According to detailed findings from ThreatFabric, Sturnus goes far beyond traditional credential-stealing malware. It provides attackers with the ability to take full control of an infected device, harvest banking information and, critically, read messages after they have been decrypted by legitimate apps and appear on the screen.
Encryption itself has not been broken. Instead, Sturnus exploits Android’s Accessibility Services to log everything displayed on a compromised device in real time. This gives hackers visibility into contacts, entire message threads and sensitive content that victims believe to be private. Researchers note that once a device is compromised, end-to-end encryption can no longer protect any information shown on the screen.
Security experts emphasise that the distribution methods used by Sturnus are familiar. Attackers disguise malicious apps as legitimate downloads, including fake Chrome updates, and lure victims into installing them from untrusted sources. After installation, the trojan hides its activity by using a blend of plaintext, RSA and AES-encrypted communication with its command-and-control server, enabling it to evade security tools and blend into normal network traffic.
This advanced evasion makes Sturnus difficult for analysts to reverse engineer and harder for automated detection systems to flag. The malware reportedly interacts with Matrix Push C2, a platform increasingly used to deliver phishing notifications and malicious payloads across the web.
Security engineers warn that Sturnus poses risks not only to consumers but also to organisations that rely on encrypted messaging apps to protect confidential communications. Industries ranging from finance to government and healthcare may be exposed if employees unknowingly install malicious software on their work devices.
The Cybersecurity and Infrastructure Security Agency, America’s cyber defence authority, issued a new advisory on Tuesday confirming that messaging apps are being actively targeted by spyware operators. CISA highlighted tactics already common in phishing campaigns, including fake security alerts, malicious QR codes used to link accounts to attacker-controlled devices, impersonation of messaging platforms and zero-click exploits requiring no user interaction at all.
While high-profile targets such as journalists, politicians and activists face the greatest risk from espionage-grade spyware, CISA notes that everyday users should also remain cautious. The agency advises avoiding unverified app stores, keeping Google Play Protect enabled, preventing unnecessary device linking, and refusing accessibility permissions unless absolutely certain they are safe.
Researchers stress that a compromised device nullifies all encryption benefits. Once Sturnus gains access, every message becomes readable, regardless of the application protecting it. Security analysts expect continued development of the malware and warn users to stay vigilant as attackers refine their tools.
Photo Credit: DepositPhotos.com
