According to Forbes, security researchers at ThreatFabric have identified a dangerous new Android banking trojan called Sturnus that’s currently in development or limited testing phase. The malware, which was detailed in a November 25 update that included a new warning from America’s Cyber Defense Agency CISA, can bypass the encryption protecting messages on Signal, Telegram, and WhatsApp by reading everything that appears on the smartphone screen through Accessibility Service logging. This allows hackers to capture contacts, full conversation threads, and message content in real time, effectively making end-to-end encryption useless on compromised devices. The malware uses a sophisticated mix of plaintext, RSA, and AES-encrypted communication with its command and control server to evade detection systems. Distribution appears to occur through methods like fake Google Chrome updates from untrusted sources, targeting both consumers and organizations across multiple industries.
How Sturnus bypasses encryption
Here’s the thing that really gets me about this threat – it doesn’t actually break the encryption at all. The attackers aren’t cracking Signal’s security protocols or finding some mathematical weakness in WhatsApp’s implementation. They’re doing something much simpler, and honestly, much more clever. They’re just reading your messages after you’ve already decrypted them and they’re displayed on your screen. It’s like having an unbreakable safe, but someone just watches you open it every time and writes down what’s inside.
Basically, Sturnus uses Android’s Accessibility Services, which are meant to help users with disabilities, to log everything that appears on your display. So while you’re having what you think is a completely private conversation, the malware is capturing every word and sending it to the attackers. This approach completely sidesteps the cryptographic protection that makes these messaging apps so secure. The user sees a secure interface, but from the moment the device is compromised, every sensitive exchange becomes visible to the operator.
Why this matters for everyone
Now you might be thinking, “I’m not a high-value target, why should I care?” But that’s exactly the wrong way to look at this. While nation-state actors might focus on politicians and journalists, this particular malware appears to be a banking trojan first and foremost. That means ordinary users are absolutely targets. And let’s be real – how many of us use these messaging apps for sensitive conversations? Work discussions, financial information, personal details – it all flows through these platforms.
Aditya Sood, vice president of security engineering at Aryaka, put it perfectly when he told Forbes that “the ability to steal messages from end-to-end encrypted platforms like Signal could spell serious problems for organizations.” Companies across every industry now rely on these apps for secure communication. When the device itself is compromised, no amount of encryption can save you.
What you can do right now
So what’s the practical advice here? First, keep Google Play Protect activated – it’s not perfect, but it’s your first line of defense. Second, avoid downloading apps from untrusted sources, even if they look legitimate. That fake Chrome update might be exactly what delivers Sturnus to your device.
But here’s the most important takeaway: be extremely careful about granting accessibility permissions. Unless you have a very good reason and you’re 101% sure it’s safe, don’t enable these controls for random apps. CISA also recommends being suspicious of unexpected security alerts, verifying group invitations through separate channels, and limiting device linking to only what’s absolutely necessary.
The technical details from ThreatFabric’s analysis show this is sophisticated malware, but the protection advice is pretty straightforward. Check out the security guides for Signal, Telegram, and WhatsApp, and take CISA’s latest warning seriously. Your encrypted messages are only as secure as the device they’re displayed on.
