Sturnus Android Malware Directly Captures Screen, Bypassing E2EE

A new strain of insidious Android malware has been discovered that can “bypass encrypted messaging” by capturing content directly from the screen after decryption.

The malware can also present convincing fake bank login screens in order to harvest credentials.

In addition, it provides attackers with extensive remote control, enabling them to observe all user activity, inject text without physical interaction, and even black out the device screen while executing fraudulent transactions in the background—without the victim’s knowledge.

The researchers estimate that the malware is still in a “development or limited testing stage” but has “already been configured with targeted attacks against financial institutions across Southern and Central Europe.”

The malware relies on Accessibility Services logging to capture everything that appears onscreen, “including contacts, full conversation threads, and the content of incoming and outgoing messages.”

The malware achieves precise control over the device and is able to issue clicks, text input, accept permission prompts, and essentially provides the attackers full remote control over the device.

It can transmit what’s on your screen without triggering the normal screen capture prompts and can even operate when elements are not on your screen.

Malware like this is a sobering reminder that advanced capabilities aren’t limited to targeted individuals, we all need to take the security of our devices seriously.