According to Android Police, security researchers have identified a sophisticated new Android malware called Sturnus that’s actively targeting users across Southern and Central Europe. This malware spreads through malicious APK files disguised as legitimate apps like Google Chrome and can bypass encryption in WhatsApp, Telegram, and Signal by reading messages directly from your screen after they’ve been decrypted. Sturnus also creates convincing fake login screens that overlay banking apps to steal credentials and mimics Android update screens while secretly taking control of devices. The malware can gain admin privileges by tracking unlock attempts and viewing passwords, making removal extremely difficult. Threat Fabric researchers suspect attackers are currently refining their techniques before launching broader attacks, though the exact transmission method remains unclear beyond speculation about rogue messaging app attachments.
Why this malware is different
Here’s what makes Sturnus particularly alarming: it doesn’t try to break encryption. Instead, it waits until your messages are already decrypted and readable on your screen, then basically takes a screenshot of your conversations. This approach makes all those end-to-end encryption promises from messaging apps completely useless against this threat. And the fake banking login screens? They’re sophisticated enough that most users wouldn’t suspect anything’s wrong until it’s too late.
The Android security dilemma
This situation highlights the ongoing cat-and-mouse game in mobile security. Google’s response emphasizes that no infected apps are on the Play Store and that Google Play Protect should catch known versions. But that “known versions” part is crucial – new variants can slip through until they’re identified. The real problem? Many users still download APKs from third-party sources, especially in regions where certain apps aren’t available through official channels. So while Google’s security has improved dramatically, user behavior remains the weakest link.
What you should do
Stick to the Play Store. Seriously. Even if an app isn’t available there, the risk just isn’t worth it anymore. Enable Google Play Protect and keep it updated. Be suspicious of any app that requests unnecessary permissions, especially accessibility services or device admin rights. And those random update notifications that pop up from nowhere? Don’t tap them. Wait for system updates to come through your device’s official update mechanism. Basically, if something seems even slightly off, trust that instinct and don’t proceed.
Broader implications
This malware represents a shift toward more sophisticated social engineering combined with technical exploitation. Attackers aren’t just trying to hack devices anymore – they’re hacking human behavior. The fake update screen is particularly clever because it plays on our expectation that updates are normal and necessary. Meanwhile, the focus on Southern and Central Europe suggests targeted testing before a potential global rollout. The scary part? These techniques could easily be adapted for other platforms or scaled up rapidly once perfected.
