A new Android banking trojan dubbed Perseus is setting a concerning precedent in mobile malware. According to research by ThreatFabric, the malware not only performs typical banking-trojan activities, but also systematically opens note‑taking applications on infected devices and scans them for passwords, crypto wallet seed phrases, and financial information. This behaviour directly exploits a widespread habit: storing sensitive data in plain-text notes instead of using dedicated password managers.
Malware distribution: pirated IPTV Android apps as bait
Current Perseus campaigns rely on unofficial Android app stores and websites, where the trojan is distributed under the guise of free IPTV and sports streaming services. Users are lured by promises of free access to premium or pirated broadcasts and are encouraged to sideload APK files, often bypassing warnings from Google Play Protect and the Android security prompts.
One observed dropper impersonates “Roja Directa TV”, a name familiar to many fans of online sports streams. By mimicking a brand already associated with “grey zone” content, attackers reduce user suspicion around the app’s legitimacy and significantly increase installation rates.
Code lineage: from Cerberus to Phoenix to Perseus
Technical analysis indicates that Perseus is built on top of the Phoenix malware codebase, which itself traces back to leaked source code from the well‑known Cerberus Android banking trojan. This type of evolution is typical in the Android malware ecosystem: once code leaks publicly, it is repeatedly repurposed, extended with new features, and adopted by different criminal groups.
The Perseus dropper is capable of bypassing installation restrictions for unknown apps on Android 13 and above, an increasingly important capability as Google tightens controls around sideloading and background installs. The same dropper family has previously been associated with distributing other notable malware strains, including Klopatra and Medusa, suggesting shared tooling or overlapping infrastructure among threat actors.
Primary targets: European banks and cryptocurrency apps
Perseus is clearly focused on the financial sector. ThreatFabric’s telemetry shows targeting of banking applications primarily in Turkey (17 apps) and Italy (15 apps), with additional targets in Poland (5), Germany (3), and France (2). Parallel to this, the trojan monitors at least nine cryptocurrency-related applications, underscoring attackers’ ongoing interest in harvesting digital assets and recovery seed phrases for wallets.
Trojan capabilities: remote control via Accessibility Services
Like many modern Android banking trojans, Perseus extensively abuses Android Accessibility Services—a system feature designed to assist users with visual or motor impairments. Once granted these permissions, the malware can:
- simulate user actions such as taps, swipes, and text entry;
- read and capture the content displayed on the screen;
- interfere with or bypass multi‑factor authentication in financial applications;
- enable remote interactive control of the device by the attacker.
Scanning note‑taking apps for passwords and seed phrases
The most distinctive element of Perseus is its targeted interaction with note‑taking apps. The malware recognizes and opens popular services including Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes. The English-language variant methodically iterates through each installed note app, scrolls through the list of notes, and inspects their contents using Accessibility Services.
ThreatFabric notes that such systematic harvesting of data specifically from note‑taking apps has not previously been observed at scale in Android banking trojans. This is particularly relevant because many users consider notes “good enough” for storing passwords, recovery phrases, card numbers, and PIN codes—despite the lack of encryption or access control in most basic note applications.
Two language builds and hints of AI-assisted development
Researchers identified two language variants of Perseus: a Turkish build and a more advanced English build. The English version contains extended logging functionality and various helper routines that improve reliability and operator visibility. The abundance of verbose logs and even emojis in the code suggests the possible use of AI‑assisted development tools, reflecting a broader trend where cybercriminals leverage the same AI ecosystems as legitimate developers.
Evasion tactics: “suspicion score” for anti‑analysis
Before enabling its full feature set, Perseus performs an extensive environment and anti‑analysis check. It inspects indicators such as root status, emulator artefacts, SIM card properties, hardware profile, battery state, presence of Bluetooth, number of installed applications, and availability of Google Play Services.
Based on these attributes, the malware calculates a “suspicion score” and sends it to its command‑and‑control server. Human operators then decide whether to continue, pause, or abort the attack against that particular device. This triage mechanism helps attackers conserve resources and reduces the chance of exposure in sandboxes, research labs, and automated analysis environments.
How to protect Android devices from Perseus and similar banking trojans
Perseus illustrates how quickly threat actors adapt to user behaviour, shifting credential theft from browsers and banking apps into the realm of everyday note‑taking tools. To reduce exposure to this and similar threats, users and organizations should:
- Avoid installing APKs from third‑party sources, especially pirated IPTV, sports streaming, or “free premium” apps.
- Restrict Accessibility Services permissions to only well‑known, trusted apps that clearly require them for accessibility features.
- Never store passwords, seed phrases, or PINs in standard note‑taking apps; instead, use reputable password managers that provide encryption and secure autofill.
- Keep Android and all applications fully updated with the latest security patches.
- Deploy mobile security solutions from established vendors and perform regular scans for malware.
As smartphones accumulate more financial data and identity information, they become high‑value targets for operators of mobile banking trojans like Perseus. Revisiting how sensitive information is stored, enforcing stricter controls on app installation, and treating every “free” streaming or utility app with caution are essential steps toward more resilient mobile security.
