Cybersecurity researchers have identified a sophisticated new Android malware, dubbed Sturnus, engineered to operate with extreme stealth while exfiltrating sensitive data from infected devices. The trojan specializes in capturing content from end-to-end encrypted messaging applications and provides attackers with full remote control over the compromised device.

The discovery was detailed in a report published by the cybersecurity firm ZecOps Cyber Research, which analyzed the malware’s capabilities and distribution methods. Sturnus represents a significant threat to user privacy and device security due to its advanced data harvesting techniques.

Sturnus Trojan: Infection and Operation

According to the ZecOps report, Sturnus is primarily distributed through malicious applications hosted on third-party Android app stores. These apps often masquerade as legitimate utility tools, such as system performance boosters or file managers, tricking users into granting them extensive permissions upon installation.

Once installed, Sturnus leverages a well-known but effective technique: it abuses Android’s Accessibility Services. By persuading the user to enable this service, the malware gains the ability to read screen content, monitor user actions, and intercept input without requiring root access. This method allows it to bypass security measures within the Android operating system and targeted applications.

Data Exfiltration and Remote Hijacking

The primary function of the Sturnus trojan is to steal communications from popular end-to-end encrypted messaging apps, including WhatsApp, Signal, and Telegram. By using the permissions granted through Accessibility Services, the malware performs screen scraping to capture messages directly from the user’s screen as they are displayed, effectively nullifying the protection offered by encryption.

In addition to chat interception, Sturnus is a fully-featured Remote Access Trojan (RAT). Its capabilities include keylogging to capture passwords and other typed information, exfiltrating files from device storage, activating the device’s microphone and camera to spy on the user’s surroundings, and executing arbitrary commands sent from a remote command-and-control (C2) server. The malware is designed to run quietly in the background, minimizing its resource usage to avoid raising suspicion.

Source: https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html