Sturnus Android banking trojan with credential theft and device takeover
Malware Activity
Summary
Hide ▲
Show ▼
A new Android banking trojan called Sturnus has been disclosed with credential theft and full device takeover capabilities, raising fraud risk for mobile banking users. It can bypass encrypted messaging by capturing decrypted screen content from WhatsApp, Telegram, and Signal. The malware uses fake banking overlays, accessibility abuse, and remote-control channels to harvest credentials and manipulate infected devices. It is privately operated, currently in an evaluation stage, and is being used against financial institutions across Southern and Central Europe.
Related Happenings
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: The **Grandoreiro** and **BTMOB** trojans are being used in active campaigns against **Windows** and **Android** targets across **Europe** and **Latin America**, increasing the ri...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware Activity
First: 12.05.2026 15:50
Last: 12.05.2026 15:50
Sources 1
About this happening:
A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
TrickMo Android banking trojan variant with TON C2 and network pivots
Malware ActivityAbout this happening: A new **TrickMo** Android banking trojan variant now uses **The Open Network (TON)** for C2, turning infected phones into **network pivots** and **traffic-exit nodes**. It was obs...
FakeWallet Apple App Store wallet-stealing apps
Malware Activity
First: 21.04.2026 00:52
Last: 21.04.2026 00:52
Sources 1
About this happening:
The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
FakeWallet Apple App Store wallet-stealing apps
Malware ActivityAbout this happening: The **FakeWallet** app set turned the **Apple App Store** into a delivery channel for **26 malicious wallet lookalikes**, putting crypto holders at risk of account takeover and th...
Mirax Android banking trojan with residential proxy nodes
Malware Activity
First: 13.04.2026 17:30
Last: 13.04.2026 17:30
Sources 1
About this happening:
Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Mirax Android banking trojan with residential proxy nodes
Malware ActivityAbout this happening: Mirax is spreading across **Europe** with **remote access** and **residential proxy** features, increasing the risk of device compromise, data theft, and traffic abuse. The Androi...
Perseus Android malware family actively distributed in the wild
Malware Activity
First: 19.03.2026 14:43
Last: 19.03.2026 14:43
Sources 1
About this happening:
The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Perseus Android malware family actively distributed in the wild
Malware ActivityAbout this happening: The **Perseus** **Android malware** family is being actively distributed in the wild, putting infected devices at risk of **device takeover** and **financial fraud**. It spreads t...
Timeline
-
20.11.2025 13:04 2 articles · 6mo ago
Sturnus Android banking trojan identified
Initial DisclosureSturnus is a new Android banking trojan that performs credential theft and full device takeover, can capture decrypted screen content from WhatsApp, Telegram, and Signal, uses fake banking overlays and Android accessibility abuse to harvest credentials and manipulate the device, and is aimed at financial institutions across Southern and Central Europe.
Show sources
- New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices — thehackernews.com — 20.11.2025 13:04
- New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices — thehackernews.com — 20.11.2025 13:04