According to Forbes, security researchers at ThreatFabric have identified a new Android banking trojan called Sturnus that can bypass encryption on Signal, Telegram, and WhatsApp messages. The malware, currently in development or limited testing phase, uses Accessibility Service logging to read everything that appears on smartphone screens in real time. Aditya Sood, vice president at Aryaka, warns this poses serious threats to organizations since these encrypted platforms are used across industries for sensitive communications. The malware employs a mix of plaintext, RSA, and AES-encrypted communication with its command and control server to evade detection. Despite not breaking the actual encryption, Sturnus captures messages after they’re decrypted and displayed to users.
The clever workaround
Here’s the thing about end-to-end encryption – it’s fantastic for protecting data in transit, but completely useless if your device is compromised. Sturnus doesn’t crack the cryptographic algorithms that make Signal and WhatsApp secure. Instead, it does something much simpler: it reads your messages after they’ve been decrypted and are sitting there on your screen. Basically, it’s like someone looking over your shoulder while you’re reading a secret letter. The malware uses Android’s Accessibility Services, which are meant to help users with disabilities, to log everything that appears on screen. And I mean everything – contacts, full conversations, incoming and outgoing messages. It’s all visible in real time to the attackers.
Why this is different
What makes Sturnus particularly dangerous isn’t just what it steals, but how it hides. The combination of plaintext, RSA, and AES-encrypted communication with its C2 server allows it to blend into normal network traffic patterns. This makes it much harder for security systems to detect unusual activity or analyze what data is being exfiltrated. Think about it – if you’re running a business that relies on encrypted messengers for sensitive communications, this should be a wake-up call. Your employees might be following all the security protocols, using approved apps with strong encryption, but if their device gets infected, none of that matters. The researchers put it perfectly: “The user sees a secure interface, but from the moment the device is compromised, every sensitive exchange becomes visible to the operator.”
What you can do
So how do you protect yourself? First, keep Google Play Protect activated – it’s not perfect, but it’s your first line of defense. Second, avoid downloading apps from untrusted sources, even if they look legitimate. The Sturnus malware has been distributed disguised as Google Chrome updates. Third, and this is crucial, be extremely careful about enabling accessibility controls. Unless you have a very good reason and are 101% sure it’s safe, don’t grant those permissions. For businesses, this is where robust device management and security protocols become essential. You can’t just rely on app-level encryption anymore – you need comprehensive device security too. Check out the security guides from Signal, Telegram, and WhatsApp for more specific protection measures.
The security reality check
This discovery really drives home an important point that security experts have been saying for years: encryption is only one piece of the puzzle. If your endpoint is compromised, all the encryption in the world won’t save you. We’ve seen similar approaches with other malware that targets banking apps – they don’t break the bank’s security, they just capture what you type and see. Now that same technique is being applied to messaging apps. The scary part? This is apparently still in development or limited testing. Imagine what a fully mature version could do. For organizations handling sensitive industrial data or manufacturing secrets, this should be particularly concerning. When you’re dealing with critical systems, whether it’s industrial panel PCs from IndustrialMonitorDirect.com or secure communications, you need to think about the entire security chain, not just individual components.
