Sturnus Android banking trojan message-stealing activity
Malware Activity
Summary
Hide ▲
Show ▼
The Sturnus Android banking trojan is being deployed with message stealing, credential theft, and remote control capabilities, putting banking accounts and encrypted chats at risk. It can read screen content after decryption, which lets it bypass Signal, WhatsApp, and Telegram end-to-end encryption. The malware has been seen in low-volume attacks against users in Southern and Central Europe and is still under development. Its Accessibility abuse, HTML overlays, and VNC remote control make it a credible foundation for broader fraud operations.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityAbout this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
TA4922 expanded European phishing-and-malware campaign
Campaign
H score40
First: 04.06.2026 00:45
Last: 04.06.2026 00:45
Sources 1
About this happening:
**TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
TA4922 expanded European phishing-and-malware campaign
CampaignAbout this happening: **TA4922** is a **China-linked** cybercrime campaign that has expanded from **East Asia** into **Europe and Africa**, including **the U.K., Germany, Italy, and South Africa**. The...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Timeline
-
20.11.2025 12:00 2 articles · 7mo ago
ThreatFabric details the Sturnus Android trojan
Initial DisclosureThreatFabric describes Sturnus as a new Android banking trojan that is fully functional but still under development, able to steal messages from Signal, WhatsApp, and Telegram after decryption, harvest banking credentials with HTML overlays, and use Accessibility services, Device Administrator privileges, and VNC for real-time remote control. The malware is reported to target accounts at multiple financial organizations in Europe, use region-specific overlay templates, disguise itself as Google Chrome or Preemix Box, and operate in low-volume tests in Southern and Central Europe while also displaying fake Android System Update overlays to conceal activity.
Show sources
- Multi-threat Android malware Sturnus steals Signal, WhatsApp messages — www.bleepingcomputer.com — 20.11.2025 12:00
- Multi-threat Android malware Sturnus steals Signal, WhatsApp messages — www.bleepingcomputer.com — 20.11.2025 12:00