A malicious new Android malware called Perseus is targeting users by scanning personal notes for sensitive information like passwords and cryptocurrency recovery phrases. Discovered by cybersecurity firm ThreatFabric, this threat evolves from earlier malware families such as Cerberus and Phoenix, making it more versatile and invasive. Disguised as IPTV streaming apps, Perseus spreads primarily through unofficial app stores and phishing sites, tricking users eager for free premium content into sideloading it onto their devices.
Once installed, Perseus exploits Android's Accessibility Services to achieve full device takeover. It can capture real-time screenshots, simulate taps, launch apps remotely, and overlay black screens to hide its actions from victims. This allows cybercriminals to monitor and manipulate devices undetected, with campaigns focusing on countries like Turkey, Italy, Poland, Germany, France, the UAE, and Portugal.
What makes Perseus particularly alarming is its specialized note-scanning feature, a novel capability not seen in its predecessors. The malware systematically opens popular note-taking apps—including Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes—then logs and exfiltrates their contents to a command-and-control server. Users often store high-value secrets in notes, turning this into a goldmine for thieves.
Perseus is no amateur threat; it employs sophisticated anti-analysis techniques to evade detection. Before activating, it checks for root access, emulators, Frida debugging tools, SIM details, battery stats, Bluetooth, app counts, and Google Play Services, calculating a "suspicion score" sent to attackers. Developers likely used large language models for coding, evident from emojis and detailed logging in the source code.
Android users must stay vigilant against Perseus by sticking to the Google Play Store, enabling Play Protect, and scrutinizing sideloaded apps—especially IPTV ones requesting excessive permissions. Avoid unofficial sources for streaming, as these dropper apps like Roja App Directa, TvTApp, and PolBox Tv bypass Android 13+ restrictions. Regular security updates and antivirus scans can further shield devices from such evolving threats.