{
	"id": "92fc40bc-f9a4-499a-a33b-c313dfcfc5f3",
	"created_at": "2026-04-06T01:29:32.920114Z",
	"updated_at": "2026-04-10T03:20:56.51208Z",
	"deleted_at": null,
	"sha1_hash": "5edf0a47ad6a68613f9ee0f25a1595d066bdd25a",
	"title": "Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and Signal Encryption",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2690160,
	"plain_text": "Sturnus: Mobile Banking Malware bypassing WhatsApp, Telegram and\r\nSignal Encryption\r\nPublished: 2024-10-01 · Archived: 2026-04-06 00:42:39 UTC\r\nMTI Security researchers have identified Sturnus, a privately operated Android banking trojan. This malware supports a\r\nbroad range of fraud-related capabilities, including full device takeover. A key differentiator is its ability to bypass\r\nencrypted messaging. By capturing content directly from the device screen after decryption, Sturnus can\r\nmonitor communications via WhatsApp, Telegram, and Signal.\r\nThe trojan can harvest banking credentials through convincing fake login screens that replicate legitimate banking apps. In\r\naddition, it provides attackers with extensive remote control, enabling them to observe all user activity, inject text without\r\nphysical interaction, and even black out the device screen while executing fraudulent transactions in the background—\r\nwithout the victim’s knowledge.\r\nAn advanced threat in its early stages\r\nWhile analysis indicates this operation is currently in a development or limited testing phase, Sturnus has already been\r\nconfigured with targeted attacks against financial institutions across Southern and Central Europe, suggesting preparations\r\nfor a broader campaign. While we emphasize that the malware is likely in its pre-deployment state, it is also currently fully\r\nfunctional, and in aspects such as its communication protocol and device support, it is more advanced than current and more\r\nestablished malware families.\r\nThreatFabric mapped the capabilities of this new malware family according to the MITRE ATT\u0026CK matrix, and you can\r\nfind the corresponding techniques used:\r\nTarget and Victimology\r\nCurrent evidence indicates that Sturnus.A is still in an evaluation and tuning phase, with relatively few samples and short,\r\nintermittent campaigns rather than sustained large-scale activity. The victimology so far points to targets primarily located in\r\nSouthern and Central Europe, where we have observed  region-specific overlay templates. In parallel, the malware’s\r\nbehavior shows a clear focus on compromising widely used secure messaging platforms such as WhatsApp, Telegram, and\r\nSignal, suggesting that the operators are testing its ability to capture sensitive communications across different\r\nenvironments. Although the spread remains limited at this stage, the combination of targeted geography and high-value\r\napplication focus implies that the attackers are refining their tooling ahead of broader or more coordinated operations.\r\nThe complex call of the Songbird\r\nThe malware’s layered and slightly chaotic mix of plaintext, RSA, and AES communications—switching unpredictably\r\nbetween simple and complex messages—reminds us of the Sturnus vulgaris, whose rapid, irregular chatter jumps between\r\nwhistles, clicks, and imitations. This noisy and intricate pattern inspired the malware’s name.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 1 of 9\n\nThe technical flow reflects this same structure: the malware communicates with its command-and-control server through\r\nboth WebSocket (WSS) and HTTP channels, sending a combination of encrypted and plaintext data, with most plaintext\r\nappearing over WebSocket. Its protocol begins with an HTTP POST request to the endpoint to register the device using a\r\nplaceholder payload. The server replies with a UUID (client ID) and an RSA public key. The malware then generates a 256-\r\nbit AES key locally, encrypts it using RSA/ECB/OAEPWithSHA-1AndMGF1Padding, and sends the encrypted key back,\r\nwhile storing the plaintext AES key on the device in Base64 form.\r\nOnce the key exchange is complete, all further communication is protected with AES encryption using\r\nAES/CBC/PKCS5Padding and a 256-bit key. For every message, the malware generates a fresh 16-byte initialization\r\nvector (IV), prepends it to the encrypted payload, and wraps the result in a custom binary protocol that includes a header\r\nwith the message type, message length, and the client UUID. In parallel, the malware also establishes a WebSocket channel,\r\nwhich it uses to communicate directly with the bot during VNC sessions.\r\nHere is the message structure, when encrypted:\r\nCapabilities\r\nData Exfiltration\r\nThe malware relies on two tightly integrated mechanisms—HTML overlays and accessibility-based keylogging—to capture\r\nand exfiltrate user credentials and other sensitive data. Its overlay engine maintains a persistent repository of phishing\r\ntemplates under /data/user/0/\u003cmalware_package\u003e/files/overlays/ , where each HTML file corresponds to a targeted\r\nbanking application. When an overlay is triggered, the malware launches an activity containing a WebView configured with\r\nJavaScript, DOM storage, and a JavaScript bridge that intercepts and forwards any data the victim enters directly to the C2\r\nserver. Once the information is exfiltrated, the overlay for that specific target is disabled to reduce repetition and avoid\r\nsuspicion.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 2 of 9\n\nThe system also supports a full-screen “block overlay”, that allows attackers to hide their malicious activities from victims\r\nby displaying a full screen black overlay that blocks all visual feedback while the malware operates in the background .\r\nAlongside overlays, the malware implements a comprehensive keylogging pipeline through the Android Accessibility\r\nService. It processes events such as:\r\nTYPE_VIEW_TEXT_CHANGED\r\nTYPE_VIEW_FOCUSED\r\nTYPE_VIEW_CLICKED\r\nTYPE_WINDOW_CONTENT_CHANGED\r\nto capture text as it is typed, track focus changes for context, and record UI interactions. Beyond simple keystroke logging, it\r\ncontinuously monitors the device’s UI tree and sends structured logs describing what is displayed on screen. This enables\r\nattackers to reconstruct full user activity even when screen capture is blocked by FLAG_SECURE or when network\r\nconditions prevent live video transmission. Together, these mechanisms give the operator a detailed, real-time picture of the\r\nvictim’s actions while providing multiple redundant paths for data theft.\r\nThese capabilities are also used by the malware to programmatically steal PINs and Passwords to easily unlock the device.\r\nMessaging Apps control\r\nSturnus, in addition to banking applications, also monitors the foreground app and automatically activates its UI-tree\r\ncollection whenever the victim opens encrypted messaging services such as WhatsApp, Signal, or Telegram.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 3 of 9\n\nBecause it relies on Accessibility Service logging rather than network interception, the malware can read everything that\r\nappears on screen—including contacts, full conversation threads, and the content of incoming and outgoing messages—in\r\nreal time. This makes the capability particularly dangerous: it completely sidesteps end-to-end encryption by accessing\r\nmessages after they are decrypted by the legitimate app, giving the attacker a direct view into supposedly private\r\nconversations. The user sees a secure interface, but from the moment the device is compromised, every sensitive exchange\r\nbecomes visible to the operator, with no cryptographic protection left to rely on.\r\nRemote Control\r\nSturnus supports full remote sessions, letting operators interact with the victim’s device using two complementary screen-capture techniques that provide redundancy across Android versions and permission states. Its primary method relies on the\r\nsystem’s display-capture framework to mirror the device screen in real time, while a fallback mechanism uses Accessibility-based screenshots when standard capture is blocked. Both approaches produce continuous visual streams that can be scaled,\r\nthrottled, or reconfigured remotely depending on bandwidth and operational needs. Screen data is converted into a native\r\nframebuffer and encoded for transmission, enabling responsive remote interaction. Then, the management of the session is\r\nhanded to a native library, which implements the VNC RFB protocol, encoding frames for transmission to connected clients.\r\nIn parallel with pixel-based streaming, Sturnus exposes a second, highly efficient control layer based entirely on\r\nAccessibility-derived UI information. Instead of sending images, it transmits structured descriptions of every visible\r\ninterface element, allowing attackers to map the entire screen, understand its layout, and issue precise actions such as clicks,\r\ntext input, scrolling, app launches, or permission confirmations. This method consumes minimal bandwidth, works without\r\ntriggering screen-capture indicators that would normally appear, and remains fully operational when elements are off-screen\r\nor protected by security flags. \r\nTogether, the visual stream and the UI-tree control channel give attackers persistent, covert, and fine-grained control over an\r\ninfected device. Here is a screenshot of data exfiltrated by Sturnus, and an example of how this data could look on the\r\ncontrol panel of the criminals (example taken from another banking malware with the same feature):\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 4 of 9\n\nHere is the full list of supported actions, which often accept parameters such as coordinates or node identifiers:\r\nValue Description\r\nbuttonAction System navigation control\r\nclickNode Click specific UI element\r\ntextSender Inject text into focused field\r\ngensureScroll Execute swipe/scroll gesture\r\nlastClickedNode Click multiple nodes in sequence\r\nnodesInfo Enumerate all UI elements\r\nenableBlackScreen Hide screen from victim\r\ndisableBlackScreen Remove black screen overlay\r\nEnvironment monitoring\r\nSturnus reinforces its persistence by securing Android Device Administrator privileges and actively defending them. Once\r\ngranted, these privileges allow the malware to monitor password changes, unlock attempts, and lock-screen activity, sending\r\neach event to the command-and-control server with precise timestamps. The same privileges let it lock the device remotely\r\nand, more importantly, make itself significantly harder to remove. Whenever the user navigates to settings screens that could\r\ndisable its administrator status, the malware detects the attempt through Accessibility monitoring, identifies relevant\r\ncontrols, and automatically navigates away from the page to interrupt the user. Until its administrator rights are manually\r\nrevoked, both ordinary uninstallation and removal through tools like ADB are blocked, giving the malware strong protection\r\nagainst cleanup attempts.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 5 of 9\n\nAlongside its administrator defenses, Sturnus maintains extensive situational awareness through a broad environmental\r\nmonitoring subsystem designed to ensure long-term resilience on the device. Twelve internal broadcast receivers and a\r\ndedicated security-checking thread continuously track system activity, connectivity changes, power and battery states, SIM\r\ntransitions, app installation events, USB behavior, and signs of forensic probing or rooting. It also monitors security-relevant\r\nsettings such as developer mode, ADB debugging, SELinux state, and the device’s patch level, reporting any change\r\nimmediately to the operators.\r\nBy collecting sensor information, network conditions, hardware data, and installed-app inventories, the malware builds a\r\ndetailed device profile that helps attackers assess risk, adapt their tactics, and detect analysis environments or emulators.\r\nThis continuous feedback loop allows Sturnus to persist on the device, avoid exposure, and remain operational even as\r\nconditions change around it.\r\nConclusions\r\nSturnus represents a sophisticated and comprehensive threat, implementing multiple attack vectors that provide attackers\r\nwith near-complete control over infected devices. The combination of overlay-based credential theft, message monitoring,\r\nextensive keylogging, real-time screen streaming, remote control, device administrator abuse, and comprehensive\r\nenvironmental monitoring creates a dangerous threat to victims' financial security and privacy.\r\nThe malware's architecture demonstrates advanced evasion capabilities through code obfuscation, complex and solid\r\ncommunication encryption, and active interference with security controls. The persistent C2 connection via WebSocket\r\nenables real-time command and control, allowing attackers to adapt their tactics dynamically based on device state and\r\nvictim behavior.\r\nAppendix\r\nBot Commands\r\nCommands Description\r\nAPP_HIDE Hides the specified app from the user.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 6 of 9\n\nAPP_UNHIDE Makes a previously hidden app visible again.\r\nHIDE_ICON Removes or hides the app’s launcher icon.\r\nAPP_SUSPEND Temporarily disables an app so it cannot run.\r\nAPP_UNSUSPEND Re-enables an app that was previously suspended.\r\nAPP_UNINSTALL Uninstalls the specified app from the device.\r\nSEND_NOTIFICATION Displays a notification on the device.\r\nPING Sends a heartbeat to confirm the malware is active.\r\nLOCK_SCREEN Forces the device screen to lock.\r\nUNLOCK_SCREEN Attempts to unlock or bypass the screen lock.\r\nOPEN_URL Opens a specified URL on the device.\r\nKILL_SELF Forces the malware to remove or terminate itself.\r\nAPP_INSTALL Installs an app.\r\nREFRESH_DELAY Updates internal timing or command polling intervals.\r\nLAUNCH_APP Opens or launches a specified application.\r\nFORCE_STOP_APP Forces an app to stop running.\r\nCALL_PHONE Initiates a phone call to a given number.\r\nSEND_SMS Sends an SMS message to a specified number.\r\nDELETE_ALL_SMS Deletes all SMS messages on the device.\r\nDELETE_SMS Deletes a specific SMS message.\r\nDELETE_ALL_CALLS Deletes the entire call log.\r\nDELETE_CALL Deletes a specific call entry.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 7 of 9\n\nADD_NEW_CONTACT Adds a new contact to the address book.\r\nDELETE_ALL_CONTACTS Removes all contacts from the device.\r\nDELETE_CONTACT Removes a specific contact.\r\nRING_BUZZ_DEVICE Makes the device ring or vibrate.\r\nREFRESH_ALL_DATA Forces complete reloading or syncing of malware data.\r\nSTART_VNC Starts a remote-control VNC session.\r\nSTOP_VNC Stops an active VNC remote-control session.\r\nENABLE_BLACK_OVERLAY Shows a black screen overlay to hide activity.\r\nDISABLE_BLACK_OVERLAY Removes the black screen overlay.\r\nENABLE_UPDATE_OVERLAY Shows an overlay indicating an update to mask actions.\r\nDISABLE_UPDATE_OVERLAY Removes the update-style overlay.\r\nSTART_HVNC Starts a hidden VNC session (invisible remote control).\r\nSTOP_HVNC Stops the hidden VNC session.\r\nRELOAD_INJECTS Reloads phishing/overlay inject templates.\r\nENABLE_INJECT Activates a specific phishing/overlay injection.\r\nPIN_SOLVER Attempts to bypass or solve the device PIN.\r\nREQUEST_PERMISSION Prompts the user for a required permission.\r\nDISABLE_INJECT Deactivates a specific phishing/overlay injection.\r\nHIDE_SMS Hides SMS messages from the inbox.\r\nUNHIDE_SMS Restores previously hidden SMS messages.\r\nPIN_SOLVER2 Alternate or updated method for bypassing device PIN.\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 8 of 9\n\nIndicators of Compromise\r\nSHA-256 Package name\r\nApplication\r\nname\r\nC2\r\n045a15df1121ec2a6387ba15ae72f8e658c52af852405890d989623cf7f6b0e5 com.klivkfbky.izaybebnx\r\nGoogle\r\nChrome\r\n amoled[.]multicolore\r\n0cf970d2ee94c44408ab6cbcaabfee468ac202346b9980f240c2feb9f6eb246d com.uvxuthoq.noscjahae\r\nPreemix\r\nBox\r\nwalnut[.]almondcollec\r\nSource: https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal\r\nPage 9 of 9\n\nhttps://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal   \nAPP_UNHIDE Makes a previously hidden app visible again.\nHIDE_ICON Removes or hides the app’s launcher icon.\nAPP_SUSPEND Temporarily disables an app so it cannot run.\nAPP_UNSUSPEND Re-enables an app that was previously suspended.\nAPP_UNINSTALL Uninstalls the specified app from the device.\nSEND_NOTIFICATION Displays a notification on the device. \nPING Sends a heartbeat to confirm the malware is active.\nLOCK_SCREEN Forces the device screen to lock. \nUNLOCK_SCREEN Attempts to unlock or bypass the screen lock.\nOPEN_URL Opens a specified URL on the device. \nKILL_SELF Forces the malware to remove or terminate itself.\nAPP_INSTALL Installs an app.  \nREFRESH_DELAY Updates internal timing or command polling intervals.\nLAUNCH_APP Opens or launches a specified application. \nFORCE_STOP_APP Forces an app to stop running. \nCALL_PHONE Initiates a phone call to a given number. \nSEND_SMS Sends an SMS message to a specified number.\nDELETE_ALL_SMS Deletes all SMS messages on the device.\nDELETE_SMS Deletes a specific SMS message. \nDELETE_ALL_CALLS Deletes the entire call log. \nDELETE_CALL Deletes a specific call entry. \n Page 7 of 9",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.threatfabric.com/blogs/sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal"
	],
	"report_names": [
		"sturnus-banking-trojan-bypassing-whatsapp-telegram-and-signal"
	],
	"threat_actors": [],
	"ts_created_at": 1775438972,
	"ts_updated_at": 1775791256,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5edf0a47ad6a68613f9ee0f25a1595d066bdd25a.pdf",
		"text": "https://archive.orkl.eu/5edf0a47ad6a68613f9ee0f25a1595d066bdd25a.txt",
		"img": "https://archive.orkl.eu/5edf0a47ad6a68613f9ee0f25a1595d066bdd25a.jpg"
	}
}