Perseus Android Malware Steals Passwords and Crypto from User Notes

scsecMarch 19, 20262 Mins read2 Views

A newly discovered Android malware named Perseus is targeting users by scanning their personal notes to extract highly sensitive information such as passwords, recovery phrases, and financial data.

The malware is being distributed through unofficial app stores, disguised as IPTV streaming applications. By leveraging users’ familiarity with sideloading apps—especially for accessing pirated sports content—attackers trick victims into installing malicious APKs while ignoring built-in security warnings.

Distribution and Targeting

Researchers at ThreatFabric report that Perseus primarily targets financial institutions and users in Turkey and Italy, along with cryptocurrency services. Other affected regions include Poland, Germany, and France.

One of the known apps spreading the malware is Roja Directa TV, a well-known sports streaming platform often associated with piracy.

This campaign reflects a growing trend where cybercriminals use IPTV apps as bait. Similar tactics have recently been used to distribute other Android banking malware strains.

Technical Capabilities

Perseus grants attackers full control over infected devices by abusing Android’s Accessibility Services. Its capabilities include:

Continuous screenshot capture and live streaming (VNC-like control)
Remote interaction via structured UI hierarchy (HVNC)
Simulating user actions like taps, swipes, and text input
Launching and blocking apps
Displaying a black screen overlay to hide malicious activity
Performing overlay attacks and keylogging

Additionally, the malware can remotely control the device’s screen state and app behavior, effectively turning the phone into a fully monitored system.

Unique Note-Scanning Feature

What sets Perseus apart is its ability to scan user-created notes across multiple popular apps, including:

Google Keep
Xiaomi Notes
Samsung Notes
ColorNote
Evernote
Microsoft OneNote
Simple Notes

This is the first time researchers have observed Android malware specifically targeting note-taking apps. These apps often store highly sensitive, user-curated data, making them a valuable source of information for attackers.

The malware systematically opens each notes app and scans stored content to extract useful data.

Development and Evolution

Perseus is believed to be built on the Phoenix codebase, which itself originated from the leaked Cerberus banking malware.

It exists in two variants:

A Turkish version tailored for local targets
A more advanced English version with improved debugging features

The English variant includes detailed logging and even emojis in the code, suggesting the use of AI-assisted development tools.

Evasion and Anti-Analysis

Before activating, Perseus performs extensive checks to determine whether it is running in a real user environment. These include:

Detecting root access or emulators
Analyzing SIM and hardware details
Checking battery, Bluetooth, and installed apps
Verifying Google Play Services availability

Based on these factors, it generates a “suspicion score” and sends it to a command-and-control server. Attackers then decide whether to proceed with the infection.

Infection Chain

The malware is delivered via a dropper capable of bypassing Android 13+ sideloading restrictions. This same dropper has previously been used to distribute other malware families like Klopatra and Medusa.

Once installed, Perseus establishes control and begins data harvesting while remaining hidden from the user.

Prevention and Recommendations

To reduce the risk of infection, users should:

Avoid downloading APKs from unofficial or untrusted sources
Use only legitimate apps from the Google Play Store
Keep Google Play Protect enabled
Regularly scan devices for threats

As attackers continue to exploit user behavior and trust, maintaining good security practices remains critical.

Previous post DarkSword Zero-Day Exploit Chain Gives Hackers Full Control of iPhones

1 Comment

scsec says:

March 19, 2026 at 16:07

Perseus represents a dangerous evolution in Android malware, targeting personal notes in addition to traditional banking and crypto apps. Its ability to fully control devices via Accessibility Services and scan note-taking apps shows how attackers are seeking increasingly contextual and highly sensitive user data. Users should avoid sideloading apps, stick to official sources, and keep security features like Google Play Protect active to mitigate these threats.

Reply