Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Sturnus Android banking trojan message-stealing activity

Malware Activity
First reported
Last updated
Happening score
H score 36
1 unique sources, 1 articles

Summary

Hide ▲

The Sturnus Android banking trojan is being deployed with message stealing, credential theft, and remote control capabilities, putting banking accounts and encrypted chats at risk. It can read screen content after decryption, which lets it bypass Signal, WhatsApp, and Telegram end-to-end encryption. The malware has been seen in low-volume attacks against users in Southern and Central Europe and is still under development. Its Accessibility abuse, HTML overlays, and VNC remote control make it a credible foundation for broader fraud operations.

Related Happenings

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...

Open Happening

TrickMo Android banking trojan variant with TON C2 and network pivots

Malware Activity
First: 12.05.2026 15:50 Last: 12.05.2026 15:50 Sources 1

About this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...

Open Happening

Mirax Android banking trojan with residential proxy nodes

Malware Activity
First: 13.04.2026 17:30 Last: 13.04.2026 17:30 Sources 1

About this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...

Open Happening

Perseus Android malware family actively distributed in the wild

Malware Activity
First: 19.03.2026 14:43 Last: 19.03.2026 14:43 Sources 1

About this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...

Open Happening

Perseus Android note-stealing and remote-control malware activity

Malware Activity
First: 19.03.2026 12:13 Last: 19.03.2026 12:13 Sources 1

About this happening: The **Perseus** Android malware is now being used to inspect user notes for secrets, creating theft risk for **passwords**, **recovery phrases**, and **financial data**. It is als...

Open Happening

Timeline

  1. 20.11.2025 12:00 2 articles · 6mo ago

    ThreatFabric details the Sturnus Android trojan

    Initial Disclosure

    ThreatFabric describes Sturnus as a new Android banking trojan that is fully functional but still under development, able to steal messages from Signal, WhatsApp, and Telegram after decryption, harvest banking credentials with HTML overlays, and use Accessibility services, Device Administrator privileges, and VNC for real-time remote control. The malware is reported to target accounts at multiple financial organizations in Europe, use region-specific overlay templates, disguise itself as Google Chrome or Preemix Box, and operate in low-volume tests in Southern and Central Europe while also displaying fake Android System Update overlays to conceal activity.

    Show sources
    Open in new tab