Sturnus Android banking trojan with credential theft and device takeover
Malware Activity
Summary
Hide ▲
Show ▼
A new Android banking trojan called Sturnus has been disclosed with credential theft and full device takeover capabilities, raising fraud risk for mobile banking users. It can bypass encrypted messaging by capturing decrypted screen content from WhatsApp, Telegram, and Signal. The malware uses fake banking overlays, accessibility abuse, and remote-control channels to harvest credentials and manipulate infected devices. It is privately operated, currently in an evaluation stage, and is being used against financial institutions across Southern and Central Europe.
Related Happenings
RedWing Android spyware rented through Telegram
Malware Activity
H score21
First: 08.07.2026 18:30
Last: 08.07.2026 18:30
Sources 1
About this happening:
The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
RedWing Android spyware rented through Telegram
Malware ActivityAbout this happening: The **RedWing** Android spyware operation is being rented through **Telegram**, lowering the barrier for criminals to hijack phones and steal **banking credentials**. The malware...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware Activity
H score30
First: 24.06.2026 17:00
Last: 24.06.2026 17:00
Sources 1
About this happening:
Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
MacOS.Gaslight Rust infostealer-backdoor with Telegram Bot API channel
Malware ActivityAbout this happening: Researchers identified **macOS.Gaslight**, a **North Korea-linked** **Rust** infostealer-backdoor that can steal **Chrome, Brave, Firefox and Safari** data, terminal histories, in...
Rokarolla Android banking trojan activity
Malware Activity
H score26
First: 16.06.2026 16:15
Last: 16.06.2026 16:15
Sources 1
About this happening:
The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Rokarolla Android banking trojan activity
Malware ActivityAbout this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/Service
H score20
First: 03.06.2026 12:02
Last: 03.06.2026 12:02
Sources 1
About this happening:
**Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Google rolls out Android fake call detection against AI impersonation scam calls
Security Tool/ServiceAbout this happening: **Google** is rolling out **fake call detection** on **Android 12 and later** devices this month, giving users a built-in warning when a caller may be using **AI voice-cloning** o...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware Activity
H score25
First: 27.05.2026 19:10
Last: 27.05.2026 19:10
Sources 1
About this happening:
**BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Grandoreiro and BTMOB banking trojan activity targeting Windows and Android
Malware ActivityAbout this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...
Timeline
-
20.11.2025 13:04 2 articles · 7mo ago
Sturnus Android banking trojan identified
Initial DisclosureSturnus is a new Android banking trojan that performs credential theft and full device takeover, can capture decrypted screen content from WhatsApp, Telegram, and Signal, uses fake banking overlays and Android accessibility abuse to harvest credentials and manipulate the device, and is aimed at financial institutions across Southern and Central Europe.
Show sources
- New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices — thehackernews.com — 20.11.2025 13:04
- New Sturnus Android Trojan Quietly Captures Encrypted Chats and Hijacks Devices — thehackernews.com — 20.11.2025 13:04