Perseus Reads Your Notes Before Emptying Your Bank Account
- Javier Conejo del Cerro
- 20 mar
- 3 min de lectura
Perseus, a new Android banking malware built on the foundations of Cerberus and Phoenix, is actively targeting users through phishing-distributed dropper apps disguised as IPTV services. Designed for full device takeover (DTO), the malware leverages Accessibility abuse, remote control sessions, and overlay attacks to silently monitor victims, steal credentials, and execute financial fraud. Its most notable evolution lies in a subtle but highly impactful capability: monitoring note-taking applications to extract high-value personal and financial information, signaling a shift toward deeper data harvesting beyond traditional banking theft.
Phase 1: Deception & Delivery
The infection begins with carefully crafted phishing campaigns distributing malicious Android applications disguised as IPTV services, such as Roja App Directa, TvTApp, or PolBox TV. These apps exploit a common and widely accepted user behavior—sideloading apps to access premium content—effectively lowering suspicion and increasing infection rates.
Once installed, the dropper silently delivers the Perseus payload, embedding itself within a context that appears legitimate to the user. This blending of malicious code with expected functionality allows the malware to bypass initial scrutiny and establish a foothold on the device without raising alarms.
The campaigns have been observed targeting multiple regions, with a strong focus on Turkey and Italy, but also extending to Poland, Germany, France, the UAE, and Portugal, indicating a geographically broad but strategically targeted operation.
Phase 2: Silent Takeover
After execution, Perseus abuses Android’s Accessibility Services to gain elevated permissions, enabling near-complete control over the device. Through this mechanism, attackers can observe user activity in real time, interact with the interface, and execute commands without direct user awareness.
The malware establishes communication with a command-and-control (C2) server, allowing operators to initiate remote sessions using VNC-like streaming or structured UI interaction (HVNC). This provides attackers with both visual and programmatic control of the device, effectively turning it into a remotely operated endpoint.
To remain undetected, Perseus performs extensive environment checks, identifying analysis tools such as Frida and Xposed, verifying SIM presence, evaluating installed apps, and assessing device behavior to distinguish real devices from sandbox environments. These checks contribute to a calculated “suspicion score,” determining whether the attack proceeds or remains dormant.
Phase 3: Data Harvesting & Financial Exploitation
With control established, Perseus deploys a combination of overlay attacks and keylogging techniques to intercept credentials in real time, particularly targeting banking and cryptocurrency applications. Fake interfaces are layered over legitimate apps, tricking users into entering sensitive data directly into the attacker’s control.
Beyond traditional credential theft, Perseus introduces a critical evolution: the ability to scan and extract data from note-taking applications such as Google Keep, Samsung Notes, Evernote, and Microsoft OneNote. This capability suggests a deliberate focus on uncovering stored passwords, recovery phrases, financial details, and other high-value personal information often saved by users in notes.
Additional capabilities include file exfiltration, forced app installations, screen capture, audio muting, black screen overlays to hide malicious activity, and automated interaction with the device interface. Attackers can also authorize fraudulent transactions directly from the infected device, completing the financial exploitation cycle.
Phase 4: Stealth, Persistence & Control
Perseus ensures persistence and operational stealth through continuous C2 communication and remote command execution. Its ability to dynamically adapt actions based on the device’s environment and risk profile makes it highly flexible and resilient.
The malware’s evolution from Cerberus and Phoenix reflects a broader trend: rather than reinventing capabilities, modern threats refine and optimize existing techniques. Indicators such as extensive logging and even emojis in the code suggest the possible involvement of large language models in its development, pointing toward a future where malware becomes faster to build, iterate, and deploy.
Measures to Fend Off
Avoid sideloading apps from unofficial sources, especially IPTV or “premium content” services
Restrict and regularly audit Accessibility Service permissions
Deploy mobile security solutions capable of detecting overlay attacks and remote control behavior
Monitor unusual device activity such as screen overlays, unexpected app launches, or silent installations
Educate users about phishing techniques and the risks of executing unknown applications
Enforce zero-trust principles on mobile devices accessing sensitive corporate resources
Perseus exemplifies the ongoing evolution of Android banking malware, where incremental innovation leads to significantly higher impact. By combining proven techniques such as Accessibility abuse and overlay attacks with new capabilities like note monitoring, the malware shifts from simple credential theft to comprehensive data exploitation.
This progression highlights a critical reality: attackers are no longer just targeting what users input—they are targeting what users store. As personal devices increasingly act as repositories for sensitive information, the line between convenience and vulnerability continues to blur.
Perseus is not just another banking trojan. It is a reminder that in modern threat landscapes, the most valuable data is often hidden in plain sight—and attackers know exactly where to look.
The Hacker News
Comentarios