It Just Watches You Read Them
One-Line Flow:
A banking trojan with god-mode accessibility powers is screen-watching your “encrypted” chats, stealing your logins, faking system updates, and using dual command-servers like it’s running a startup.

Dumb Mode Dictionary
Trojan: Friendly icon, evil soul.
Accessibility Abuse: Malware becomes your “assistant” and then assists itself to your data.
Overlay: Fake screen slapped over real screen to steal passwords.
C2 Server: Hackers’ office. Two of them = remote teamwork.
For
1Hackers — What’s Really Happening
Sturnus isn’t your regular dumb malware.
It uses dual encrypted channels, real-time screen mirroring, fake overlays, fake updates, and device admin rights to fully puppeteer your phone.
Once you decrypt a message, it reads it faster than you do.
Full story: https://thehackernews.com/2025/11/new-sturnus-android-trojan-quietly.html
What’s Changing
- Malware isn’t sniffing your traffic… it’s reconstructing your UI in real-time.
- Encryption is useless if the attacker sees the decrypted text on your screen.
- Banking trojans now also steal your chats because why not.
Highlights (But 10x Scarier Now)
Dual C2 Architecture
- AES-encrypted WebSocket for live VNC-style control
- HTTPS for exfiltration
- Two channels = smoother remote robbery.
Accessibility Service Exploitation
- Logs: on-screen text, keystrokes, UI structure, app launches
- Bypasses encryption because it reads what you see.
Smart Fake Overlays
- Places perfect banking login screens
- Steals data
- Automatically disables itself after success to stay invisible.
Full UI Reconstruction
- Attackers can tap, scroll, type, approve permissions, open apps
- Basically remote desktop… on your phone.
Continuous Device Profiling
- Sensors, network, hardware, app list
- Used to tailor attacks so you never notice.
Who They’re Targeting (You Wish It Was Random)
- European financial institutions — laser-focused, not mass spam.
- Currently in evaluation stage — meaning you’d be a beta tester. Congrats?
Disguise Packages Used
com.klivkfbky.izaybebnx(fake Google Chrome)com.uvxuthoq.noscjahae(fake Preemix Box)
If you installed these… condolences.
What Sturnus Really Is
A banking trojan, not generic spyware.
Money theft is the goal.
Chat interception is just the bonus round.
Sources That Actually Matter
Research by ThreatFabric (Netherlands).
Extra juicy coverage:
https://www.bleepingcomputer.com/news/security/multi-threat-android-malware-sturnus-steals-signal-whatsapp-messages/
https://therecord.media/new-android-malware-captures-private-messages
Hidden Mechanics You Definitely Missed
Black Screen Takeover
Fake “Android update” while it steals everything behind a blackout curtain.
Admin Privilege Escalation
It grants itself device admin — good luck removing it manually.
Native Display-Capture Abuse
Not a screen recorder.
It uses Android’s internal display framework to mirror your real-time screen.
Post-Decryption Sniping
Doesn’t crack encryption.
Just waits microseconds after you open the message.
Obscure History Lesson (Useful, Shockingly)
AhRat (2023) pulled a similar stunt — downloaded clean, updated dirty.
50k installs before Google noticed.
Accessibility abuse is now the #1 malware vector on Android.
Google can’t fully lock it without breaking real accessibility tools.
The “How Did You Find This?” Trivia
Why the name “Sturnus”?
It’s the genus of starlings — birds famous for synchronized swarming.
Yes, the malware also “swarms” multiple attack vectors in sync.
Hackers are either nerds or dramatic.
ThreatFabric says this is pre-production malware.
Meaning: early victims = guinea pigs.
Why It Matters
Encryption is useless if the attacker has front-row seats to your screen.
Your secure apps mean nothing when your OS itself is compromised.
Cool. They Built a Super Trojan…
Now What the Hell Do We Do?
Affiliate “Safer Phone Checklist”
Make a simple checklist PDF.
Inside: links to
- antivirus
- Secure browser
- VPN
- Cloud backup
- People always click when fear is fresh.
Build a “Clean Phone Starter Pack”
Single-page site:
- Recommended apps
- Setting tweaks
- Security tools
All with affiliate links.
You basically monetize common sense packaged well.
In Short
This headline = fear → fear = attention → attention = money.
Cybersecurity is the only niche where being the “smart friend” can literally make you a side-income…
…even if all you do is say,
“Bro don’t install random APKs.”
on safer note…
- Stop installing sketchy APKs (yes, even that “premium mod”).
- Use Play Protect or proper scanners.
- If your phone acts haunted → factory reset.
- Update your device (the real updates).
- Don’t grant Accessibility permission to apps that look like they were named by a cat walking on a keyboard.
Sigh part!
“Encrypted chats” aren’t the weak point.
Your OS is.
If malware owns the screen, it owns you.
In Short
Device hacked = Encryption meaningless.
Stay clean, or stay watched.
!