Overview
- ThreatFabric and other analysts say Sturnus reads on‑screen text after decryption to capture WhatsApp, Signal, and Telegram conversations, sidestepping end‑to‑end encryption.
- Sturnus conducts credential theft using region‑specific HTML/WebView overlays for banking apps and can hide activity with a black screen or fake Android system‑update display.
- The malware supports real‑time VNC‑style remote control that lets operators click, type, scroll, approve prompts, and execute transfers in targeted banking apps.
- Persistence and control rely on Accessibility logging and Device Administrator rights, while communications use mixed plaintext/RSA/AES over HTTPS plus an AES‑encrypted WebSocket for live sessions.
- Researchers assess current deployment as limited testing; the delivery method is not confirmed, though samples masquerade as Google Chrome or Preemix Box, and users are urged to avoid sideloaded APKs and unnecessary Accessibility grants.