The appearance of Sturnus, a banking trojan for Android capable of steal WhatsApp chats and passwordsThis malware has once again raised alarms among cybersecurity experts in Europe and the rest of the world. It is being used in active campaigns to spy on conversations, steal credentials, and remotely control infected mobile phones, jeopardizing the privacy of millions of users.
Far from being just another virus, Sturnus combines advanced espionage techniques, screen spoofing and remote controlIt focuses particularly on messaging and online banking applications. Although activity has been detected in various countries, European authorities and specialized laboratories already identify it as one of the most worrying mobile threats of recent years.
What is Sturnus and why is it causing so much concern among experts?
Analysts describe Sturnus as A sophisticated mobile Trojan, with a banking focus, designed to infiltrate Android devices and operate in the background without raising suspicion. It doesn't replicate like a classic virus, but requires the user to voluntarily install a malicious app that contains it.
Once inside, The malware opens the door to the theft of WhatsApp, Telegram, and Signal conversations, passwords, and financial data.ThreatFabric and other labs consider it one of the most complete Trojans seen lately in the mobile ecosystem, due to its combination of espionage, fraud, and persistence capabilities.
The most disturbing thing is that take advantage of the Android Accessibility Services to read what appears on the screen when the user has already opened the app. This way, it doesn't need to break WhatsApp or Signal's end-to-end encryption: it simply "observes" the already decrypted content as if it were another layer on top of the system.
This approach involves a change in the way encrypted communications are attackedInstead of trying to intercept traffic, control is taken over the device where the messages are displayed, something much more difficult for the average user to detect.
This is how Sturnus infiltrates your mobile: fake apps and “premium” versions
The researchers agree that Fraudulent or modified applications are the main entry channel that circulate outside of Google Play or are disguised among seemingly legitimate apps. They usually present themselves as:
- Free games or games with attractive rewards.
- Photo and video editors with “exclusive filters”.
- Miracle battery saving or optimization tools.
- “Gold”, “Plus” or “premium” versions of WhatsApp and other popular apps, which promise extra or hidden features.
When the user downloads the APK file from an external site or a link shared via chat, The malicious app requests permissions that seem normal but actually grant it deep control over the device.These include accessibility permissions and, in many cases, device administrator permissions.
By granting these permissions, Sturnus It acquires the ability to monitor what happens on the screen, intercept keystrokes, manage navigation, and make its removal extremely difficult.Many affected users don't even remember which app they installed before the problems started, which further complicates detection.
These types of campaigns usually rely on social engineering techniquesMessages recommending a "secret" app to improve WhatsApp, links on social networks with supposed exclusive features, or pages that mimic official sites to convince the user to download the APK.
What can Sturnus do within your WhatsApp and other apps
Once active, Sturnus It behaves like a truly advanced spyware program.It doesn't just read messages; it collects and sends a wide range of private information to remote servers. Among its most notable capabilities are:
- Access to chats from WhatsApp, Telegram, Signal, and other messaging appsreading the content on the screen when the user opens the conversations.
- possibility of copy, forward or record messages, photos, videos, audios and documents without the mobile phone owner noticing.
- Use of accessibility services for record each key pressedThis makes it easier to steal passwords and login data.
- Real-time remote viewing of the device screenallowing attackers to observe everything the victim does.
- Interface interaction: open applications, press buttons, scroll through menus, or write messages as if they had their mobile phone in their hand.
- Activation of a black screen that hides malicious activityso that the user believes the phone is locked or turned off while the Trojan is working.
In addition to messaging, The Trojan can access files stored on the device: photos, videos, documents, or histories from other sensitive appsThis information is sent in the background to servers controlled by cybercriminals, without generating visible alerts.
European authorities and security companies emphasize that It can operate for weeks or months without raising suspicionespecially on devices where the user does not pay attention to permissions or background processes.
Theft of passwords and bank details: the main objective
Although eavesdropping on conversations attracts a lot of attention, The real focus is on moneyResearchers classify it as a banking trojan because it incorporates specific functions to steal financial credentials and take over sensitive accounts.
One of their most dangerous techniques is the Impersonating login screens using HTML overlaysWhen the victim opens a banking app, digital wallet, or payment service, the malware displays a fake interface identical to the original. The user enters their username, password, or PIN as usual… and that data goes directly to the attackers.
This mechanism allows steal online banking passwords, wallet credentials, authentication codes, and even card datawithout directly compromising the legitimate application. For the user, the experience is virtually indistinguishable from the real thing.
Furthermore, thanks to remote control and access via SMS or authentication applications, It can intercept two-step verification codes, complete fraudulent transfers or change security settings on compromised accounts.
Taken together, these capabilities make this malware a highly effective tool for complex financial fraudwhich can affect both private users and professionals who manage sensitive information from their mobile phones.
An intruder who cannot be easily erased
Another particularly worrying feature is the ability to prevent its uninstallationWhen the user notices strange behavior and tries to revoke permissions or delete the suspicious app, the Trojan intervenes in the process.
According to the analyzes, The malware intercepts attempts to access the device's security or administrator settings. and redirects the screen to other menus, effectively blocking any attempt to remove it. This "mirror" effect causes many victims to give up before they can remove it.
In the most serious cases, The only practical solution has been to reset the phone to factory settingsAfter making a clean backup and, preferably, checking what is being restored so as not to also recover the malicious app.
European experts also recommend, prevent rooting of the device and always keep a reputable antivirus installed, since a modified or unprotected terminal usually makes it easier for these types of advanced threats.
How to detect if your mobile phone might be infected with Sturnus
Although Sturnus tries to go unnoticed, Their activity may leave some clues. If you pay attention to the device's behavior. Among the signs that point to a possible infection are:
- Abnormal phone heating even when it is not being used intensively.
- Excessive battery consumption or mobile data without a clear explanation.
- Automatic opening of applications or screen movements that the user has not made.
- Sudden freezes, unexpected black screens, or restarts for no apparent reason.
- Strange notifications related to permissions, accessibility, or device administrator.
If you also remember installing it recently an app of dubious origin, a modified version of WhatsApp, or an APK downloaded from a linkThe suspicion that it could be Sturnus or another similar Trojan is gaining strength.
Key steps to protect your WhatsApp and your Android phone
Faced with such a stealthy threat, The best defense remains prevention and careful digital habitsCybersecurity specialists recommend a series of basic steps that any user in Spain or Europe can apply in their daily life:
1. Do not install applications from outside official stores.
Most infections begin when APKs are downloaded from random websites, links from unknown sources, or unverified repositories. Sticking to Google Play or official manufacturer channels greatly reduces the risk.
2. Be wary of “Gold”, “Plus” or modified versions of WhatsApp
Many of these supposedly improved versions are the perfect hook to to spread Trojans like Sturnus or other similar malwareIf a feature is not in the official app, it is best to assume that it is not safe.
3. Always check the permissions of each app
Before accepting, it's worth asking yourself if it makes sense for an app to request access to the microphone, camera, SMS messages, or contact list. Review permissions And limiting unnecessary access is a clear red flag.
4. Keep Android and apps updated
Security patches fix flaws that attackers exploit repeatedly. Delaying updates leaves the door open to known vulnerabilities.
5. Strengthen security from within WhatsApp itself
Activate two-step verification, periodically review active sessions, and limit the information visible in the profile These are simple measures that reduce the impact if someone tries to hijack the account. It is also recommended use a 6-digit PIN for added protection.
What to do if you suspect Sturnus has infected your phone
When there are clear signs of infection, It is important to act quickly to limit the damage and stop remote accessThe steps recommended by experts are relatively specific:
- Disconnect your mobile phone from the internet (data and Wi-Fi) to cut off remote control and information output.
- Restart the device in safe modeso that only system apps run.
- From that environment, try uninstall any suspicious applications recently installed.
- If the system prevents its removal or if strange behavior persists, Consider a factory reset.
- Change all critical passwords (banking, email, social media, WhatsApp Web, etc.) from another device that is clean.
- Avoid restoring backups that may contain the malicious app, or carefully review what is being recovered.
In professional settings or when particularly sensitive data is compromised, It may be advisable to contact a specialized technical service or the support of the bank itself. to review movements and strengthen authentication mechanisms.
The reappearance of campaigns linked to Sturnus demonstrates that Mobile Trojans remain one of cybercrime's favorite tools.This is especially true when they target widely used apps like WhatsApp. While the situation may sound alarming, having an updated device, avoiding risky downloads, monitoring permissions, and taking advantage of built-in security features in apps is currently the most effective way to keep chats, passwords, and banking information safe from these types of threats.
