Android mobile security is once again under scrutiny because of Sturnus, a Trojan specializing in spy WhatsApp and other messaging appsThis malware, detected by firms such as ThreatFabric and closely monitored by European authorities, is being used in active campaigns to steal chats, passwords, and banking data.
Far from being a theoretical threat, Sturnus is spreading across Europe and other territories through fraudulent applications that masquerade as legitimate tools. Its combination of advanced espionage, remote control, and financial theft places it among the most dangerous mobile Trojans of recent years.
What is Sturnus and why is it focusing on WhatsApp?
In essence Sturnus is a banking trojan for Android It disguises itself as a legitimate app so the user installs it without suspicion. It doesn't replicate on its own, like a classic virus, but requires the victim to open and install a seemingly harmless applicationoften downloaded from external links or unofficial stores.
The attackers' interest is clear: Take advantage of the massive user base of WhatsApp and other platforms like Telegram or Signal to maximize the number of potential victims. By infiltrating the mobile phone, the Trojan is able to read conversations, copy multimedia files, and spy on daily activity without raising suspicion for weeks.
Experts from European laboratories and cybersecurity firms describe it as a “advanced spyware”It works in the background, records what happens on the screen, intercepts keystrokes, and can send all the information to remote servers controlled by the criminals.
This approach fits with a worrying trend: Mobile Trojans have become more discreet and specialized.increasingly focusing on stealing money, banking credentials and sensitive accounts, rather than simply displaying advertising or slowing down the device.
How Sturnus gets onto your phone: fake apps and modified APKs
The reports agree on the same starting point: The infection usually begins with the download of a fraudulent application.These apps are presented as games, photo editors, optimization tools, or, especially, "premium" versions of popular services, including unofficial variants of WhatsApp.
Many users fall for the bait of “Gold”, “Plus” versions or apps that They are impersonating WhatsApp.In reality, these external APKs are the perfect vehicle for Sturnus to install itself on the device. Links also circulate through social media, private messages, or websites that mimic official pages—a classic social engineering tactic.
Once the user installs the malicious application, The Trojan requests accessibility or device administrator permissionsAt first glance, these permissions may seem normal, but in practice they grant malware almost total control over the phone.
After obtaining these privileges, Sturnus goes into hiding and begins operating in the background. It records activity, accesses screens, captures text, and monitors application usage. without any visible warnings or eye-catching icons. In many cases, the user doesn't even remember which app they installed before it all started.
Spying on WhatsApp: how to access encrypted chats
One of the most delicate aspects of Sturnus has to do with messaging. It doesn't break the end-to-end encryption from WhatsApp, Telegram or SignalBut it finds an equally effective shortcut: it uses Android's accessibility services to "see" what appears on the screen when the user has already opened the conversation.
In other words, the Trojan acts as an invisible layer that Read the decrypted messages in real time as you view them on your mobile phoneThis allows them to copy text, capture images, record audio, and obtain the content of private chats, even if they are properly encrypted during transmission.
Technical analyses indicate that Sturnus can capture photos, videos, voice notes, documents, and sent and received messages.and associate them with specific accounts. In parallel, it has the ability to record every keystroke, further increasing the volume of sensitive information that reaches the attackers.
This attack model marks a change in approach: it is no longer necessary to attack the servers of messaging platforms or break complex encryption systems, Simply control the device where the conversations are displayed.It is a much more difficult weakness to protect if the user has already installed the malware.
Theft of passwords, bank details and other Sturnus targets
Beyond spying on WhatsApp, the real impact of the Trojan is in the economic sphere. Sturnus is designed with a clear banking and financial focus., aimed at stealing money and sensitive credentials.
Its capabilities include HTML overlays that mimic login screens of banking apps and digital walletsWhen the user opens their banking app, the Trojan can display a fake interface almost identical to the original, where the victim enters username, password, or verification codes without realizing that they are handing them over directly to the cybercriminals.
In addition, the use of accessibility services allows you to record every keystroke, access emails, social networks, and authentication servicesThe result is a very complete map of the user's digital life, useful for both bank fraud and hijacking accounts and carrying out identity theft.
The laboratories that have analyzed these campaigns emphasize that The data obtained is sent to remote serverswhere they are stored and used for subsequent attacks. In some cases, attackers activate "spy modules" only when it suits them, further complicating malware detection.
Remote control of mobile phone: black screen and invisible actions
Another feature that worries specialists is the Sturnus' ability to take remote control of the victim deviceOnce it has administrator privileges, the Trojan can behave almost as if the attacker had the phone in their hand.
The reports describe functions such as real-time screen display, button interaction, message writing, and in-app navigationThis opens the door to silent actions: changing internal settings, installing other malicious tools, or manipulating accounts without the user noticing.
To camouflage that activity, Sturnus can even activate a black screen or block the user's view while continuing to operate in the backgroundFrom the outside, the phone appears to be switched off or locked, but in reality, the attacker may be performing critical operations.
This combination of espionage and remote control transforms the Trojan into a highly versatile cybercrime platformuseful for financial fraud, blackmail, identity theft, or even for including the device in wider attack networks.
Why is it so difficult to remove Sturnus from the device?
One of the points that experts emphasize most is the Sturnus persistence once it has been installed on the phoneThe Trojan doesn't just function like any other app; it integrates itself into deep layers of the system to make it difficult to remove.
When the user attempts to revoke permissions, uninstall the suspicious application, or access the relevant settings, The malware intercepts these actions and redirects the screenIn practice, the device owner believes they are changing an option, but the Trojan prevents the modification from being applied.
In many cases, researchers have concluded that Removing Sturnus completely without forensic tools is extremely difficultTherefore, one of the most common solutions when an advanced infection is detected is to restore the mobile phone to factory settings, erasing all data and settings.
This level of resistance fits with a general evolution of mobile malware: The techniques we previously saw in desktop Trojans have now reached the Android environmentwith sophisticated mechanisms for concealment, persistence, and antivirus evasion.
How Sturnus affects Europe and what experts are warning about
Various European authorities and cybersecurity laboratories They have issued warnings about Sturnus' active campaigns, especially targeting Android users who use WhatsApp and other messaging services daily.
The first confirmed records They were detected on Android devices distributed in several European countriestaking advantage of links shared on social networks, fraudulent websites, and private messages that posed as official notices or promotions.
Analysts point out that 2025 has seen a significant increase in the volume and sophistication of cyber scams.Account theft, phishing, fake apps, and Trojans disguised as seemingly normal tools. Sturnus fits perfectly into this scenario, as it combines well-known techniques with modern control and espionage mechanisms.
Given this context, the general recommendation for European users is Exercise extreme caution when installing applications and managing permissions.without blindly trusting any download channel or supposed "miracle" functions.
Signs that your mobile phone may be infected
Although Sturnus is designed to go unnoticed, there are certain clues that can raise suspicion. Experts cite, among others, The phone overheating for no apparent reason, abnormal battery drain, or the presence of apps you don't remember installing..
Other common symptoms are Apps opening on their own, sudden system slowdown, strange background activity or changes to settings that no one has made. In the case of WhatsApp, it's a good idea to check if there are any open sessions on devices you don't recognize.
Sometimes, the appearance of a Unexpected black screen while the phone remains on This could be a sign that something is happening behind the scenes without your knowledge. This tactic is one of Sturnus's tricks for hiding malicious activity while the attacker controls the phone.
If several of these signs are detected at the same time, it is advisable to seriously consider the possibility of an infection and take action as soon as possible to minimize potential damage.
What to do if you suspect Sturnus has accessed your phone
If you believe your device may be compromised by Sturnus or a similar Trojan, experts recommend act quickly and order the steps to avoid further complicating the situation.
The first is disconnect the device from the internetThis can be done by turning off mobile data and Wi-Fi or by using airplane mode. This makes it more difficult for attackers to remotely access your system and, at least temporarily, stops the transmission of information to external servers.
Next, it is advisable Restart your phone in “safe mode”This prevents most third-party apps from running. From this environment, you can try to uninstall suspicious applications and review the permissions they have granted.
If these actions don't work or the system doesn't allow removing the malicious app, the most effective way is usually to restore the device to factory settingsAfter that, it's advisable to change your passwords for banks, email, social media, and messaging from another secure device, avoiding restoring backups that may be compromised.
Key measures to prevent Sturnus from infiltrating your WhatsApp
Almost all cybersecurity organizations and companies agree on the same message: The best defense against Sturnus is prevention.Once inside, cleaning can be complex; that's why it's essential to minimize the chances of infection.
The first recommendation is Do not install apps from outside of Google Play or other official channels.Many APKs circulating on forums, download websites, or through links from unknown sources are the preferred entry point for these types of Trojans.
It is also crucial Carefully review the permissions requested by each application.If a simple tool requests access to the microphone, camera, SMS, contact list, or accessibility services without an obvious reason, it's a clear red flag.
Another basis for protection is keep the operating system and apps updatedSecurity patches fix vulnerabilities that cybercriminals exploit time and time again; delaying these updates leaves the door open to known threats.
WhatsApp security settings to add extra protection
There's also room to reduce risks within the messaging app itself. Activating the appropriate options doesn't completely block this type of Trojan, but Yes, it complicates their task and limits the impact of a potential attack..
On WhatsApp, experts advise enable two-step verificationso that, even if someone steals your password or tries to register your number on another device, they will need an additional code that only you know.
It is also recommended periodically review active sessions To ensure that a remote session hasn't been opened on an unknown computer or device, closing anything you don't recognize is a simple practice that can prevent many problems.
Finally, it is advisable limit the information visible in the profile (photo, statuses, personal data) only to trusted contacts, thus reducing the amount of details that a potential attacker can obtain publicly.
Good digital habits: the hardest barrier to overcome by malware
Experience from recent years shows that, however sophisticated a Trojan horse may be, An attentive and well-informed user is much harder to deceive.That is the true line of defense against campaigns like the ones Sturnus is taking advantage of.
Analysts insist on maintaining a constant monitoring for unexpected changes in device behavior, in being wary of apps that promise "miracle" functions or disproportionate benefits and in always reading the ratings and the developer's name before installing anything.
Although even official stores can occasionally host malicious applications, combine technical measures with common sense and a healthy dose of skepticism drastically reduces the chances of falling into the trap.
With Sturnus and other Trojans targeting WhatsApp and users' wallets, it's more important than ever. Strengthen security habits, review permissions, and think twice before installing any application.no matter how attractive it may seem.
