When researchers at ThreatFabric began tracking a fledgling strain of Android malware this fall, they expected to find another entry in the long line of banking trojans that skim credentials and lure victims into fraudulent logins. Instead, they found something more ambitious.
The malware, called Sturnus, is still in what analysts describe as “development or limited testing.” Yet even in this early form, it grants remote operators unusually expansive access — from device-level control to the ability to harvest sensitive financial information. What sets Sturnus apart, researchers say, is a capability that quietly undermines one of the strongest protections in consumer technology: the encryption inside apps like Signal, WhatsApp and Telegram.
Algoritha Prepares You for Seamless DPDP Compliance — Contact Us for Complete Implementation Support
The attackers have not cracked these systems; no encryption has been broken. Rather, Sturnus waits. It monitors. And as soon as users decrypt their messages to read them on screen, the malware copies them in real time.
“That’s the problem with any compromised device,” one security analyst noted. “Your cryptography can be perfect, but once the message hits the screen, it’s just text.”
The Screen as a Weak Link in Secure Messaging
For years, secure messenger developers reassured users that screenshots could be restricted, messages set to disappear, and forwarding disabled. But the concept only held if a device itself remained trusted. With Sturnus, that assumption collapses.
ThreatFabric’s report notes that the malware does not intercept network traffic, where encryption would stop it. Instead, it relies on Android’s Accessibility Services — the same system designed to help users with disabilities — to read everything that appears on screen. Contacts, message histories, and the content of conversations are logged in real time, bypassing the protections of end-to-end encrypted apps without technically violating any cryptographic boundary.
“It is the classic side-door attack,” said Aditya Sood, a vice president at network security firm Aryaka. “If you can see the user’s screen, you can see their secrets.”
Sood warns that Sturnus’ communication architecture makes detection harder. The malware uses a mix of plaintext, RSA and AES-encrypted channels to interact with its command-and-control server, a design intended to blend into the noise of ordinary traffic. That complexity, he said, “makes it much harder to inspect Sturnus’ network traffic or recover the contents that it steals.”
Beyond Consumers: A Growing Risk for Organizations
While most malware strains that target mobile messaging apps primarily threaten individuals, Sturnus may have organizational implications.
Across industries — from finance to defense — encrypted messengers have become informal backchannels for exchanging confidential or sensitive information. Private sector executives increasingly use them to discuss deals, internal strategy or compliance matters. Journalists, activists and attorneys rely on them for secure communication.
Sood believes that Sturnus’ ability to capture messages from these platforms “could spell serious problems for organizations,” particularly those that depend on secure apps as safeguards for internal operations. Even a single compromised device, he noted, can expose entire threads of sensitive communication.
Security researchers point out that Sturnus appears to spread partly through fake update prompts — including fraudulent “Google Chrome updates” — urging users to download malicious versions of legitimate software. The tactic mirrors the broader trend in mobile spyware: highly deceptive, but functionally simple, social engineering.
“This is less about technical brilliance,” one researcher said, “and more about exploiting the everyday trust we place in our own screens.”
CISA Sounds the Alarm as Spyware Targets Messaging Apps
The U.S. Cybersecurity and Infrastructure Security Agency — CISA, which now brands itself “America’s Cyber Defense Agency” — issued its own advisory this week, warning that cyber actors are increasingly deploying commercial spyware tools to compromise users of popular messaging apps.
While the agency did not reference Sturnus directly, its warning echoes the risks raised by the latest Trojan. The tactics described are familiar but still effective:
- Phishing attacks and malicious QR codes designed to bind victim accounts to attacker-controlled devices.
- Zero-click exploits, which require no user interaction.
- Impersonation schemes mimicking Signal, WhatsApp and other trusted platforms.
CISA’s message is blunt: the majority of ordinary users will never be targeted by state-linked or high-end commercial spyware operators, but the best-practice precautions are universal. Verify unexpected alerts. Avoid scanning untrusted QR codes. Limit device linking. Question any prompt that unexpectedly requests authentication.
The advisory frames a simple truth — one mirrored in the Sturnus findings: once a device is compromised, encryption offers no refuge.
“From the moment the device is compromised,” ThreatFabric researchers wrote, “every sensitive exchange becomes visible to the operator, with no cryptographic protection left to rely on.”
