A new malware for Android devices, named Perseus, is threatening user security by adopting a decidedly unusual and concerning tactic.
Beyond the traditional interception practices typical of banking trojans, this threat stands out for its pronounced ability to inspect note-taking applications to search for sensitive data, such as passwords, recovery phrases, or private financial information.
Perseus is the malware that searches your passwords in notes
Criminals are deftly exploiting the growing demand for free or low-cost sports content to disseminate Perseus in a widespread manner. The primary infection vector is represented by fake IPTV applications, distributed strictly outside official stores.
One of the most used lures goes by the name of Roja Directa TV, a well-known streaming service often associated with ongoing copyright violations and forced closures. Hiding behind these fake apps, the attackers count on users’ habit of installing third-party APK files, pushing them to systematically ignore the operating system’s security warnings.
This trend has solidified over the last eight months and has already seen the use of fake IPTV apps to distribute other banking malware such as Massiv.
The Perseus installation system is particularly sophisticated: it is able to circumvent sideloading restrictions introduced from Android 13, using the same delivery mechanism already observed in other dangerous threats such as Klopatra and Medusa.
Solid roots and AI-assisted development
According to the in-depth analyses conducted by researchers from mobile security company ThreatFabric, Perseus possesses a solid technological base. Its source code derives from Phoenix, a malware family that is in turn based on the code of Cerberus, a project leaked online almost six years ago.
Currently the threat is circulating in two distinct variants. The first is developed in Turkish, while the second, in English, is much more complex and refined.
This latest version features advanced debugging capabilities and source code enriched with numerous logs and emojis. According to experts, this peculiarity is a very strong hint regarding the use of artificial intelligence tools during the programming and optimization phase of the malware.
The theft from notes and total control
Once the user installs the compromised app, Perseus aggressively abuses Android’s accessibility services to grant operators near-total remote control of the infected device.
Attackers gain the ability to capture screenshots and transmit them to their servers, simulate taps and swipes, type text, launch or block applications at will, and even activate a black screen overlay to hide their fraudulent actions from the victim.
However, the most innovative and alarming feature of Perseus is its attention to personal notes. Leveraging accessibility permissions, the English version of the malware systematically opens the note-taking applications on the phone, including Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes, to scan their contents individually.
Researchers emphasize that this is the first time ever that an Android malware shows a systematic interest in context data personally curated by users, recognizing notes as a rich reservoir of credentials, financial details and passphrases for cryptocurrency wallets.
Evasion methods and geographic targets
Before launching its harmful activities and risking to be discovered, Perseus performs rigorous checks to determine whether it is running in a simulated analysis environment or on a real smartphone.
The malware meticulously checks the presence of root permissions, SIM card details, hardware profile, battery status, associated Bluetooth devices, the number of installed apps, and the availability of Google Play Services.
Based on all this information, the software generates a suspicion score that is immediately sent to the remote control panel. It is then up to the operator to decide whether to proceed with the data theft.
Italy is one of the campaign’s main targets of this malicious campaign. Data show that the malware is targeting 17 financial institutions in Turkey, followed by Italy with 15 banks in its sights. Next come Poland with 5 institutions, Germany with 3 and France with 2.
The threat does not spare the cryptocurrency sector, aiming to strike nine specific cryptocurrency exchange and fund management applications.
