Overview
- Sturnus bypasses end‑to‑end encryption by logging on‑screen content via Accessibility services, letting attackers read Signal, WhatsApp, and Telegram chats after decryption.
- The trojan supports real‑time remote control through VNC over an AES‑encrypted WebSocket, using black‑screen and fake update overlays to hide fraudulent actions.
- It abuses Device Administrator privileges to resist removal, monitors attempts to revoke rights, and can steer users away from settings that would disable it.
- ThreatFabric observed region‑specific banking overlays tailored to European institutions, with activity assessed as limited, targeted testing rather than broad campaigns.
- The initial infection vector is undetermined; samples have masqueraded as Chrome or “Preemix Box,” and users are advised to avoid sideloading, keep Play Protect on, and restrict Accessibility grants.