According to Forbes, security researchers at ThreatFabric have identified a new Android banking trojan called Sturnus that’s currently in development or limited testing phase. This malware goes beyond typical banking credential theft to bypass encrypted messaging in Signal, Telegram, and WhatsApp. The threat specifically targets Android smartphone users by reading messages after they’ve been decrypted and appear on screen. Unlike traditional interception methods, Sturnus uses Accessibility Service logging to capture everything displayed in real time. This includes contacts, full conversation threads, and both incoming and outgoing messages. The malware appears to be distributed through fake Google Chrome updates from untrusted sources.
How Sturnus bypasses encryption
Here’s the thing about end-to-end encryption: it’s fantastic at protecting your messages while they’re traveling between devices. But once those messages arrive and get decrypted for you to read, they’re just text on a screen. And that’s exactly where Sturnus strikes. The malware doesn’t break the encryption itself—it waits until after your phone has done the hard work of decrypting everything and showing it to you. Basically, it’s like having someone looking over your shoulder while you read your messages, except this “someone” is malicious software that can see everything you see.
Why this is so dangerous
This approach is particularly clever because it completely sidesteps the cryptographic protection that makes these messaging apps so secure. The researchers at ThreatFabric confirmed that “the user sees a secure interface, but from the moment the device is compromised, every sensitive exchange becomes visible to the operator.” Think about that for a second. Your Signal chats might show those little lock icons, your WhatsApp might display “end-to-end encrypted,” but if malware is watching your screen, none of that matters. It’s a stark reminder that device security and app security are two different things—and you need both.
What you can do about it
So how do you protect yourself? First, keep Google Play Protect activated—it’s not perfect, but it’s your first line of defense. Second, avoid third-party app stores and only download from official sources. But most importantly, be extremely careful about granting accessibility permissions. Sturnus and similar malware often rely on these permissions to function. Unless you’re 101% sure about why an app needs accessibility controls and that it’s completely safe, don’t enable them. The security teams at Signal, Telegram, and WhatsApp all emphasize that their encryption can’t protect you if your device is compromised. And honestly, they’re right—this isn’t a flaw in their apps, it’s a reality of modern device security.
The bigger picture
This situation reminds me of when secure messengers made a big deal about disabling screenshots for disappearing messages. Sure, you can’t take a screenshot—but you could always take a photo with another device. Sturnus is essentially doing the digital equivalent of that. The takeaway? No amount of encryption can save you from a compromised device. As these threats become more sophisticated, we all need to be more vigilant about what we install and what permissions we grant. Your phone’s security is only as strong as your weakest installed app.
