A new and sophisticated Android banking trojan, dubbed Perseus, has surfaced, posing a significant threat to users across multiple countries. Analyzed by cybersecurity firm ThreatFabric, Perseus is built upon the leaked source code of the Cerberus banking trojan and incorporates features from the Phoenix codebase. This new malware distinguishes itself by its advanced capabilities, including credential theft, real-time device monitoring, and an alarming ability to silently steal personal notes from infected devices, offering attackers a comprehensive tool for financial fraud and device takeover.
Perseus primarily targets users in Turkey and Italy, although its reach has expanded to include Poland, Germany, France, the United Arab Emirates, Portugal, and cryptocurrency platforms. Threat actors are distributing this malware through deceptive campaigns that exploit users’ willingness to sideload applications. Fake IPTV applications serve as the primary vector, bypassing the Google Play Store and lowering user suspicion by masquerading as legitimate streaming services. Furthermore, a dropper application is employed to circumvent installation restrictions on newer Android versions (13 and above), making the initial infection process more stealthy and difficult to detect.
ThreatFabric analysts identified Perseus as part of an ongoing malicious campaign, noting its operational infrastructure is shared with other known malware families, such as Medusa and Klopatra. The name “Perseus” was directly derived from the command-and-control (C2) login panel observed during the analysis of several campaigns, confirming it as a deliberately developed and targeted threat. The malware appears in at least two distinct versions: one in English with extensive debugging features and a more clandestine Turkish-language variant, both actively targeting financial institutions and user data across various geographical regions.
Perseus Android Malware: Advanced Capabilities for Data Theft
Upon successful installation, Perseus requests Accessibility Service permissions, which form the core of its malicious operations. These permissions grant the malware extensive control, enabling it to monitor the device’s screen, intercept user input, and simulate touch interactions without raising any visible alerts to the user. This allows Perseus to launch overlay attacks, presenting fake login pages over legitimate banking applications, and to function as a keylogger, recording all keystrokes made by the victim.
When combined with its remote control features, these capabilities provide attackers with full interactive command over a compromised device. This allows for unauthorized transactions and other fraudulent activities to be conducted without the victim’s knowledge or consent. The broad impact of the Perseus Android malware is substantial, with over 50 financial institutions and nine cryptocurrency platforms targeted across eight countries. Its ability to achieve a full device takeover while remaining undetected highlights the escalating sophistication of modern Android banking trojans.
Taking Notes: A Capability Others Lack
A unique and particularly concerning feature of Perseus, differentiating it from many other Android banking trojans, is its capacity to target note-taking applications on the victim’s device. Many users store sensitive information such as passwords, cryptocurrency recovery phrases, and financial account details within these applications, often under the assumption of security. Perseus exploits this by executing a command named `scan_notes`, which identifies installed note applications and then silently opens each one to extract its contents. This process occurs without any user interaction or notification.
The malware meticulously utilizes Android Accessibility Services to navigate the interfaces of these note-taking applications autonomously. It systematically moves through individual notes, triggers tap actions to open entries, captures the text content, and then navigates back before proceeding to the next note. This entire routine operates discreetly in the background, leaving no visible trace for the victim. All captured note data is logged and subsequently transmitted to the attacker’s command-and-control server, alongside other stolen credentials and device information.
The applications targeted by Perseus include widely used note-taking services such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, Simple Notes Pro, and Simple Notes. This comprehensive targeting strategy indicates a deliberate effort to extract high-value personal and financial data that users typically believe is secure on their devices.
To mitigate the risk posed by Perseus and similar threats, users are strongly advised to avoid installing applications from sources outside of official app stores and to ensure that Google Play Protect is consistently enabled. Maintaining up-to-date Android devices with the latest security patches is crucial for reducing exposure to emerging threats. Most importantly, users should refrain from storing passwords, wallet recovery phrases, or other sensitive credentials within note-taking applications, as malware leveraging Accessibility Services can gain access to this data without alerting the device owner.