CyberHappenings logo
Home Browse About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Sturnus Android Malware Targets Encrypted Messaging Apps and Banking Credentials

First reported
Last updated
2 unique sources, 2 articles

Summary

Hide ▲

Sturnus, a new Android banking trojan, steals messages from encrypted apps like Signal, WhatsApp, and Telegram by capturing screen content post-decryption. It performs full device takeover via VNC and overlays to steal banking credentials. The malware is under development but fully functional, targeting European financial institutions with region-specific overlays. It uses a mix of encryption methods for C2 communication and abuses Accessibility services for extensive control. The malware is disguised as legitimate apps like Google Chrome or Preemix Box, but distribution methods remain unknown. It establishes encrypted channels for commands and data exfiltration, and gains Device Administrator privileges to prevent removal. ThreatFabric reports low-volume attacks in Southern and Central Europe, suggesting testing for larger campaigns. New details reveal Sturnus uses WebSocket and HTTP channels for communication, displays full-screen overlays mimicking OS updates, and collects extensive device data for continuous feedback.

Timeline

  1. 20.11.2025 12:00 2 articles · 1d ago

    Sturnus Android Malware Captures Encrypted Messages and Steals Banking Credentials

    Sturnus, a new Android banking trojan, steals messages from encrypted apps by capturing screen content post-decryption and performs full device takeover via VNC and overlays. It targets European financial institutions and uses a mix of encryption methods for C2 communication. The malware is currently in low-volume attacks, likely for testing, but its advanced features and scalable architecture pose a significant threat. Additional details include the use of WebSocket and HTTP channels for communication, full-screen overlays mimicking OS updates, and extensive monitoring capabilities.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

ClayRat Spyware Campaign Targets Android Users in Russia

A rapidly evolving Android spyware campaign known as ClayRat continues to target Russian users through Telegram channels and phishing websites. The spyware disguises itself as trusted apps such as WhatsApp, TikTok, Google Photos, and YouTube to trick users into downloading malicious software. Over the past three months, researchers identified more than 600 distinct ClayRat samples and 50 droppers, each version introducing new obfuscation layers to evade security tools. Once installed, the spyware can exfiltrate call logs, SMS messages, and notifications, take photos using the front camera, and send messages or place calls directly from the victim’s phone. The spyware’s operators employ a multifaceted strategy combining impersonation, deception, and automation. Distribution occurs mainly through phishing sites, Telegram channels, step-by-step installation guides, and session-based installers posing as Play Store updates. ClayRat’s most concerning feature is its abuse of Android's default SMS handler role, allowing it to read, store, and send text messages without alerting users. This access is exploited to spread itself further, sending messages to every saved contact. A new Android remote access trojan (RAT) called Fantasy Hub has been disclosed, sold as a Malware-as-a-Service (MaaS) product on Russian-speaking Telegram channels. Fantasy Hub enables device control and espionage, allowing threat actors to collect SMS messages, contacts, call logs, images, and videos. The malware abuses the default SMS privileges to obtain access to SMS messages, contacts, camera, and files, and uses fake overlays to obtain banking credentials associated with Russian financial institutions. Fantasy Hub is available for $200 per week, $500 per month, or $4,500 per year, and its C2 panel provides details about compromised devices and subscription status. Zimperium's systems detected ClayRat variants as soon as they appeared, before public disclosures. The company shared its findings with Google, helping ensure protection through Google Play Protect. Security experts recommend a layered mobile security posture to reduce installation paths, detect compromise, and limit the blast radius. Users should only install applications from authorized Play/App stores.

Open in new tab

Klopatra Android Trojan Conducts Nighttime Bank Transfers

A new Android Trojan named Klopatra has been identified, capable of performing unauthorized bank transfers while the device is inactive. The malware targets users in Italy and Spain, with over 3,000 devices infected. Klopatra disguises itself as the Mobdro streaming app and IPTV applications, leveraging their popularity to bypass security measures. It employs advanced techniques to evade detection and analysis, including anti-sandboxing methods, a commercial packer, and Hidden Virtual Network Computing (VNC) for remote control. The Trojan operates during nighttime hours, draining victims' bank accounts without alerting them. Klopatra uses Accessibility Services to gain extensive control over the device, allowing attackers to simulate user interactions remotely. It captures screenshots, records screen activity, and overlays fake login screens to steal credentials. The malware checks for device inactivity and charging status before executing its operations, ensuring the victim remains unaware until the next day. The malware is operated by a Turkish-speaking criminal group as a private botnet, with 40 distinct builds discovered since March 2025. The malware integrates Virbox, a commercial-grade code protector, to obstruct reverse-engineering and analysis. It uses native libraries to reduce its Java/Kotlin footprint and employs NP Manager string encryption in recent builds. Klopatra features several anti-debugging mechanisms, runtime integrity checks, and emulator detection capabilities. The malware supports all required remote actions for performing manual bank transactions, including simulating taps, swiping, and long-pressing. Klopatra uses Cloudflare to hide its digital tracks, but a misconfiguration exposed origin IP addresses, linking the C2 servers to the same provider. The malware has been linked to two campaigns, each counting 3,000 unique infections.

Open in new tab

Datzbro Android Trojan Targeting Elderly via AI-Generated Facebook Events

A new Android banking trojan named Datzbro is targeting elderly users through AI-generated Facebook events. The malware, discovered in August 2025, conducts device takeover (DTO) attacks and performs fraudulent transactions. It exploits social engineering tactics to trick victims into downloading malicious APK files from fraudulent links. The threat actors behind Datzbro focus on users in Australia, Singapore, Malaysia, Canada, South Africa, and the U.K. The malware leverages Android's accessibility services to perform remote actions, record audio, capture photos, and steal credentials. It also includes features to hide malicious activities and steal device lock screen PINs and passwords associated with Alipay and WeChat. Datzbro is believed to be the work of a Chinese-speaking threat group, with its command-and-control (C2) backend being a Chinese-language desktop application. The malware has been distributed freely among cybercriminals after a compiled version of the C2 app was leaked.

Open in new tab

RatOn Android Malware with NFC Relay and ATS Banking Fraud Capabilities Detected

A new Android malware named RatOn has been detected. It combines NFC relay attacks, automated transfer system (ATS) capabilities, and account takeover functions targeting cryptocurrency wallets and banking apps. RatOn was first observed in July 2025 and has been actively developed since. The malware targets Czech and Slovakian-speaking users and leverages fake Play Store listings to distribute malicious dropper apps. RatOn requests extensive permissions to bypass security measures and deploy additional malware, including NFSkate, which performs NFC relay attacks. The malware can also execute ransomware-like attacks, locking devices and demanding cryptocurrency payments. RatOn's capabilities include account takeover of cryptocurrency wallets and automated money transfers using the George Česko banking app. The malware's operators demonstrate a deep understanding of the targeted applications, suggesting a well-resourced and sophisticated threat actor.

Open in new tab

ERMAC V3.0 Banking Trojan Source Code Leak Exposes Full Malware Infrastructure

The Hook Android banking trojan, an offshoot of ERMAC, has evolved to include ransomware-style overlays and supports 107 remote commands. The malware targets financial applications and is distributed via phishing websites and GitHub repositories. The source code leak of ERMAC V3.0 in March 2024 exposed its full infrastructure, revealing critical weaknesses that can be used by defenders to track and disrupt active operations. ERMAC V3.0, an Android banking trojan, was first documented in September 2021 by ThreatFabric as an evolution of the Cerberus banking trojan operated by a threat actor known as 'BlackRock'. ERMAC v2.0 was spotted by ESET in May 2022, targeting 467 apps, up from 378 in the previous version. In January 2023, ThreatFabric observed BlackRock promoting a new Android malware tool named Hook, which appeared to be an evolution of ERMAC.

Open in new tab