Sturnus (malware)

History

2025: Worldwide spread of virus reading screen contents on Android smartphones

In late November 2025, researchers at MTI Security identified the Sturnus Trojan virus program developed for. operating system Android The Trojan can track the device screen, bypass data protection systems, access correspondence in. messengers The source of the virus is presumably infected APK files.

Android Authority informs about the new threat. According to researchers at MTI Security, the Trojan reads correspondence from popular instant messengers such as WhatsApp, Telegram and Signal, not hacking encryption, but intercepting data directly from the screen.

𝓲

Фото: Freepik

The malware is also capable of creating exact copies of banking applications to steal logins and passwords; disguise themselves as system updates and legal applications (for example, Google Chrome); obtain administrator rights by blocking your removal; spread through fake investments in instant messengers. It is capable of implementing text content and controlling the phone interface.

According to an analysis by online fraud prevention agency ThreatFabric, Sturnus is already active in southern and central European countries. Although the development of the Trojan has not yet been completed, it is also fully functional in aspects such as communication protocol and device support. It is "more advanced than the current already established families of malware," the agency said.

Given the complex nature of the attack on this virus, the only way to prevent it is to download APK files exclusively from the Google Play Store.

The built-in Google Play Protect security system blocks known versions of this Trojan, but cannot fully protect when installing APK files from the outside. This is warned by Google through the Android Authority platform.^[1]

Notes