Screen-Spying Trojan Exposes Private Chats On Signal, Telegram And WhatsApp

Researchers warn of a new Android malware strain, Sturnus, capable of capturing private messages from popular encrypted messaging apps without breaking encryption, highlighting the growing risks of device-level compromise.

Security firm ThreatFabric first identified Sturnus this fall. Initially assumed to be a standard banking trojan, researchers discovered the malware has far broader capabilities, including full device control and the ability to capture sensitive information from apps like Signal, WhatsApp, and Telegram.

Screen-Based Attacks Undermine Encryption

Sturnus does not decrypt or break app-level encryption. Instead, it exploits a fundamental vulnerability of compromised devices: the moment a user reads a message on screen, the malware copies it in real time.

Security analysts stress that this is a classic side-channel attack. “Your encryption may be perfect, but if the device itself is compromised, the screen becomes a window into all sensitive communication,” said Aditya Sood, VP at Aryaka.

The malware leverages Android’s Accessibility Services, designed for users with disabilities, to log conversations, contacts, and message histories. Unlike network-level attacks, this approach bypasses the protections of end-to-end encryption without violating cryptographic boundaries.

A Threat to Organizations as Well as Consumers

While most mobile spyware targets individual users, Sturnus poses risks to businesses and institutions that rely on encrypted messengers for confidential communication. Executives, attorneys, journalists, and activists often use these platforms to exchange sensitive information, and a single compromised device could expose entire conversation threads.

Sturnus appears to spread through deceptive tactics, such as fake software update prompts mimicking legitimate applications like Google Chrome. This social-engineering approach highlights that even simple malware can be highly effective when it exploits user trust.

CISA Issues Warnings About Messaging App Spyware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also recently issued an advisory on spyware targeting encrypted messaging platforms. While it did not specifically name Sturnus, the agency highlighted familiar threats:

• Phishing attacks and malicious QR codes linking accounts to attacker devices.
• Zero-click exploits requiring no user interaction.
• Impersonation of trusted messaging apps.

CISA’s guidance emphasizes best practices for users: verify unexpected alerts, avoid untrusted QR codes, limit device linking, and scrutinize authentication requests.

The Bottom Line: Device Security is Critical

ThreatFabric researchers concluded: “From the moment the device is compromised, every sensitive exchange becomes visible to the operator, with no cryptographic protection left to rely on.”

The Sturnus malware underscores a critical truth in cybersecurity: even the strongest encryption cannot protect data on a compromised device. Users and organizations alike must prioritize device security, cautious installation practices, and vigilance against social-engineering attacks.