Sturnus Spyware: Android Malware Bypasses Encryption to Monitor WhatsApp

A sophisticated Android spyware campaign dubbed 'Sturnus' has emerged as a significant threat to mobile security across Europe, demonstrating alarming capabilities to bypass encryption protocols and monitor private communications on popular messaging platforms.

Technical Analysis and Infection Vectors

The Sturnus malware represents a new generation of mobile threats that combine traditional information-stealing capabilities with advanced surveillance features. Security analysts have identified multiple distribution channels, with third-party app stores serving as the primary infection vector. The malware typically masquerades as legitimate applications, including utility tools, gaming platforms, and productivity software, to deceive users into installation.

Once installed, Sturnus employs a multi-stage deployment process that begins with requesting extensive permissions, particularly targeting accessibility services. This strategic approach allows the malware to bypass standard security restrictions and gain deep system-level access. The abuse of accessibility services enables the spyware to perform actions that would normally require user interaction, creating a powerful persistence mechanism.

Encryption Bypass Capabilities

What sets Sturnus apart from conventional mobile malware is its sophisticated approach to intercepting encrypted communications. Rather than attempting to break cryptographic protocols directly, the malware employs a screen capture and keylogging methodology that operates outside the encryption framework. This technique allows Sturnus to record conversations from WhatsApp, Signal, and Telegram by capturing on-screen content and user inputs before encryption occurs or after decryption.

The malware utilizes advanced OCR (Optical Character Recognition) technology to extract text from screenshots and combines this with keylogging data to reconstruct complete conversations. This approach effectively bypasses end-to-end encryption protections, as the interception occurs at the presentation layer rather than during transmission.

Data Exfiltration and Financial Targeting

Beyond communication monitoring, Sturnus demonstrates comprehensive data harvesting capabilities. The malware systematically scans devices for financial applications, banking credentials, cryptocurrency wallets, and payment information. Security researchers have observed the spyware targeting major European banking applications and financial service platforms.

The exfiltration process employs sophisticated evasion techniques, including encrypted communication channels with command-and-control servers and timing-based data transmission to avoid detection. The malware uses multiple data compression and encryption methods to optimize the stolen information for transmission while minimizing network footprint.

Detection and Mitigation Strategies

Current detection of Sturnus presents challenges due to its sophisticated obfuscation techniques and legitimate-appearance camouflage. However, security researchers have identified several behavioral indicators, including unusual accessibility service usage, excessive screen capture requests, and anomalous network traffic patterns.

Organizations should implement comprehensive mobile device management solutions with behavioral analysis capabilities. Key mitigation strategies include:

Enterprise organizations with mobile workforces should particularly focus on implementing application vetting processes and network monitoring for anomalous data transmission patterns.

The emergence of Sturnus highlights the evolving sophistication of mobile malware and the increasing convergence of surveillance and financial crime capabilities. As threat actors continue to develop techniques that bypass traditional security measures, organizations must adopt defense-in-depth strategies that combine technical controls with user education and behavioral monitoring.