A New and Growing Threat to Encrypted Messaging Apps

Updated Nov. 25 — The Cybersecurity and Infrastructure Security Agency (CISA) has issued a new warning about advanced spyware targeting secure messaging apps including Signal, Telegram, and WhatsApp. Combined with new research into the Sturnus Trojan, hackers can now access private messages even without breaking encryption.

Here’s what you need to know — and how to protect your devices and business.

What Is the Sturnus Trojan?

Security researchers at ThreatFabric have identified Sturnus, an advanced Android malware currently in development or limited testing. Unlike most banking Trojans, Sturnus:

• Gains full control of an Android device

• Steals banking and app credentials

• Reads encrypted messages AFTER they’re decrypted and displayed on-screen

• Captures full chat histories, contacts, and conversations

• Evades traditional antivirus detection

Encryption has NOT been hacked. Sturnus gets around it by capturing what’s visible on the phone screen — similar to someone taking a photo of your screen.

How It Bypasses WhatsApp, Signal & Telegram Encryption

Sturnus exploits Android’s Accessibility Services, allowing it to:

• Read everything that appears on your device

• Capture message content in real time

• Interact with apps like a human

• Monitor incoming/outgoing chats

• Gather sensitive data even from secure apps

Once a device is compromised, nothing on the device is protected anymore — regardless of encryption.

Why This Is So Dangerous

Sturnus uses a combination of:

• RSA encryption

• AES encryption

• Plaintext communication

This helps the malware blend into normal network traffic and avoid detection — making it harder for cybersecurity systems to block or analyze.

Businesses relying on encrypted messaging (healthcare, legal, finance, real estate, etc.) face significant risk.

CISA Confirms Spyware Is Targeting Messaging Apps

CISA warns that cyber actors are now delivering spyware through:

• Malicious QR codes

• Zero-click exploits

• Fake login prompts

• Phishing messages

• Impersonation of messaging platforms

Attackers can link victim accounts to hacker-controlled devices, silently bypassing security settings.

Even though high-profile targets (politicians, journalists, executives) are the primary victims, the same techniques affect everyday users.

How to Protect Yourself and Your Business

✔ Only download apps from the Google Play Store

Avoid unofficial APKs or “update prompts.”

✔ Keep Google Play Protect enabled

Provides baseline malware detection.

✔ Avoid untrusted QR codes

Especially group invites or authentication links.

✔ Don’t grant Accessibility permissions unless absolutely necessary

This is the #1 method malware uses to hijack your device.

✔ Treat unexpected login requests with suspicion

If an app asks for your PIN or 2FA code out of nowhere, STOP.

✔ Limit linked devices

If you don’t use it, unlink it.

Bottom Line

Encrypted messaging apps like WhatsApp, Signal, and Telegram remain secure — but your device might not be.

If malware like Sturnus infects your device:

• Your messages can be read

• Your accounts can be hijacked

• Your business data can be exposed

• Additional malware can be silently deployed

The real threat is not the encryption — it’s the device compromise.

ByteBak Solutions Protection Plan

ByteBak Solutions helps protect your devices, employees, and business from threats like Sturnus with:

• Mobile device security audits

• Managed threat detection & response

• Spyware & malware protection

• Secure messaging assessments

• Cybersecurity training for staff

• 24/7 monitoring & rapid incident response

Call us 737-263-2323. Email us info@bytebak.net

Set up a meeting to get ahead of this malware.

Secure your devices and protect your data with ByteBak. Where we help take your business to the Next Level.