If you use your phone to check your balance, pay bills or send money, there is a new name you should know: Sturnus. Security researchers from MTI Security and ThreatFabric have flagged this fresh Android banking trojan as a serious threat, because it combines classic money stealing tricks with modern spyware powers. 
It can quietly watch your screen, scoop up sensitive data from your banking apps and even spy on encrypted chats, all without you noticing anything wrong.
The disturbing part is how Sturnus goes about it. Instead of trying to crack strong end to end encryption used by apps like WhatsApp, Signal or Telegram, it simply waits until your conversation appears on the screen and then records what you see. Once a message is decrypted on your device and displayed, its contents are no longer protected; they are just pixels. Sturnus abuses that simple fact, capturing screenshots or screen streams in the background so that criminals can read what you thought only you and your contact could see.
On top of that, Sturnus behaves like a traditional banking trojan, laser focused on your money. The malware can display fake but very convincing login screens that perfectly mimic your banking app. You think you are signing in as usual; in reality you are typing your credentials directly into the hands of fraudsters. Once they have your username, password, card details or one time codes, they can attempt to empty your account, move funds to mule accounts or go on an online shopping spree in your name.
Researchers describe Sturnus as capable of near full device takeover. The malware can monitor user activity, inject text or commands, and remotely interact with the device interface. An attacker might silently open your banking app, initiate a transfer and confirm it, while you are looking at a blacked out screen and assume the phone has simply frozen. By the time you restart it, the damage could already be done. This combination of spying, phishing overlays and remote control makes Sturnus far more dangerous than a basic virus that only steals a password from one app.
The only piece of good news is timing. So far, evidence suggests that Sturnus is still under active development and has been deployed only in limited test campaigns, mainly targeting users in parts of Southern and Central Europe. That means the wave is small for now, but the surf is building. Indicators seen by ThreatFabric hint that the operators are refining their toolkit and preparing for broader attacks once they are satisfied with how the trojan behaves on real devices.
For Google and the wider Android security ecosystem, early detection is crucial. Once a new family of malware is identified, it can be added to malware databases, blocked by Google Play Protect, and shared with banks and antivirus vendors so they can tune their own defenses. Knowing about Sturnus now gives defenders a head start, but it does not magically protect users who continue to take risks by installing random apps or ignoring warning prompts.
Like most serious Android threats, Sturnus does not typically appear out of thin air in the official store with a big warning label. It is far more likely to creep in through side loaded APKs, fake update prompts, cracked apps from forums, malicious ads or links in emails and messaging apps that push you to install something quickly. Once installed with powerful permissions such as accessibility access or the ability to capture the screen, the trojan can hide its presence and go to work.
This is why the first line of defense is still boring but effective hygiene. Only install apps from Google Play or from another truly trusted source. If a friend sends you a mysterious file or a site tells you that you need a new video player, keyboard or banking helper app to continue, stop and ask whether that makes any sense. Keeping the option to install apps from unknown sources turned off closes one of the main doors that trojans use to get in.
It also pays to regularly review which apps have access to sensitive system features. Check your phone settings for apps that can control accessibility services, read notifications, draw over other apps or record the screen. If you see something you do not recognise, or a random tool that has far more privileges than it should, remove it immediately. Sturnus and similar malware families rely heavily on these powerful permissions to overlay login screens, watch what you type and silently approve actions.
Strong authentication remains another essential layer. Turn on two factor authentication for your banking apps and your Google account, using either hardware keys or an authenticator app where possible. A password on its own is brittle; if you accidentally feed it to a fake login screen, the attacker still needs the second step to break in. Combined with alerts from your bank about new devices or unusual transactions, 2FA can dramatically shrink the window in which criminals are able to operate.
None of this matters if your phone is months behind on security patches. System updates often look dull, but they quietly fix the holes that malware loves to exploit. Install Android updates and security patches as soon as they are available for your device. Enable Google Play Protect, keep your core apps updated and avoid tapping strange links in SMS messages, emails and random websites, no matter how urgent or tempting they sound. That single tap is often the first domino in a long and expensive chain of events.
For many Android users, news of yet another banking trojan can trigger an eye roll. It genuinely feels like there is a new virus headline every week, and some people are tired of hearing about it. That fatigue is understandable, but it is exactly what criminals are counting on. When you start to think malware stories are just background noise, you stop paying attention to the small red flags that would normally keep you safe. The goal is not to live in fear of your own phone, but to treat it with the same basic caution you already use with your wallet or house keys.
In the end, Sturnus is a reminder of a simple truth about security: attackers go where the money and data are, and they adapt faster than platforms evolve. Encryption is not broken here; instead, criminals are targeting the point where humans and software meet, hijacking the screen and tricking users in moments of distraction. If you stick to official apps, keep your device updated, avoid mystery downloads and lock important accounts behind 2FA, you are already far outside the easiest target zone. Stay alert, tighten a few settings today, and you can go back to using your Android phone for what it was meant to do, not worrying about who might be watching over your shoulder.