Hadlee Simons / Android Authority
TL;DR A malware, called “Sturus,” has emerged, and it exploits Android’s accessibility features to spread on your phone even without you noticing.
It gains access to your Android after being installed via an APK file, and then monitors your phone’s interface, chats, and even button presses.
It then recreates fake banking app UIs to steal your banking data, and places restrictions that prevent it from being uninstalled.
Update, November 25, 2025 (11:27 AM ET): Google has reached out to Android Authority with a statement regarding the Sturnus malware. A spokesperson tells us: Based on our current detection, no apps containing this malware are found on Google Play. Android users are automatically protected against known versions of this malware by Google Play Protect , which is on by default on Android devices with Google Play Services. Google Play Protect can warn users or block apps known to exhibit malicious behavior, even when those apps come from sources outside of Play. That’s reassuring to hear, and while Play Protect’s here to help, your best line of defense is probably thinking long and hard before you install any apps from outside the Play Store in the first place. Original article, November 25, 2025 (08:30 AM ET): If you think it’s admissible to download APKs from seemingly harmless nooks on the internet, there’s a new pressing reason for you to reconsider that thought. That’s because a new breed of malware has emerged that can snoop on your protected chats and target any banking services you use on your Android devices — and it originates from malicious APKs.
Researchers at MTI Security have identified a new Android trojanware called Sturnus that can bypass security measures, such as chat encryption, and surveil messages from popular messaging apps, including WhatsApp, Telegram, and Signal. It doesn’t do so by breaking into the chat encryption, but rather by seizing high-level access to the contents of the screen, thereby gaining visibility of your chats.
ThreatFabric
It can also recreate banking screens, using HTML overlays, with high accuracy to phish your login credentials and launch device-level attacks, allowing cybercriminals to take control of your device remotely. It can also create fake Android update overlays to hide malicious activity.
Don’t want to miss the best from Android Authority? Set us as a favorite source in Google Discover to never miss our latest exclusive reports, expert analysis, and much more.
to never miss our latest exclusive reports, expert analysis, and much more. You can also set us as a preferred source in Google Search by clicking the button below.
... continue reading