Rebirth of a Monster: New ‘Perseus’ Android Malware Hunts for Your Private Notes
Ddos 
Image: ThreatFabric
A new and highly adaptable Android threat named Perseus has been identified in the wild, marking a sophisticated evolution of long-standing mobile malware families. Discovered by the ThreatFabric Mobile Threat Intelligence Team, Perseus is a “rebirth” of notorious codebases like Cerberus and Phoenix, refined to bypass modern security and strip victims of high-value personal data.
While its predecessors focused heavily on banking credentials, Perseus expands its reach into the very apps where users store their most private information: their digital note-takers.
Perseus spreads through a clever social engineering tactic, masquerading as IPTV service applications. Because users are often accustomed to “sideloading” these apps from outside the official Google Play Store, they are less likely to question suspicious installation workflows.
To bypass the stricter security of Android 13 and above, the malware uses a dedicated “dropper” application. This dropper has also been seen delivering other dangerous malware families like Klopatra and Medusa.
What makes Perseus particularly dangerous is its departure from traditional credential theft. It introduces a “scan_notes” command that systematically hunts for sensitive information—such as recovery phrases, financial details, or private thoughts—stored in popular note-taking apps.
“Perseus introduces functionality aimed at monitoring user-created content, specifically notes stored on the device,” the researchers explain.
By abusing Accessibility Services, the malware can automate user interactions:
- It systematically opens note apps.
- It iterates through individual notes.
- It “navigates the UI by iterating over elements… and programmatically triggering click actions”.
- It captures the contents through in-app logging.
Inheriting the raw power of its predecessors, Perseus offers attackers interactive, real-time control over infected devices.
- VNC Capabilities: Through the “start_vnc” command, the malware captures screenshots, compresses them into JPEGs, and transmits them to a Command-and-Control (C2) server, creating a visual stream of the victim’s screen.
- Overlay Attacks: It can superimpose fake login screens over legitimate apps to capture credentials with high accuracy.
- Remote Execution: This combination allows criminals to “perform and authorize fraudulent transactions” directly on the victim’s device.
Perseus is obsessed with staying hidden. It performs an extensive “suspicion score” check before fully activating, looking for signs that it is running in a sandbox or being analyzed by researchers. It scans for:
- Instrumentation Tools: Specifically looking for frameworks like Frida or Xposed.
- Realism Checks: Verifying the presence of a SIM card, realistic battery values, and a sufficient number of installed apps to ensure it isn’t an emulator.
The campaign currently shows a heavy concentration in Turkey and Italy, though targeted institutions have also been identified across Poland, Germany, France, and Portugal.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
