New Apps for Perseus Android Banking Malware Monitors to Extract Sensitive Data
Cybersecurity researchers have uncovered a new family of Android malware called Perseus distributed in the wild for the purpose of taking a device (DTO) and financial fraud.
Perseus is built on the foundations of Cerberus and Phoenix, while at the same time evolving into a “flexible and capable platform” for compromising Android devices with dropper apps distributed through phishing sites.
“With remote access-based capabilities, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting in various regions, with a particular focus on Turkey and Italy,” ThreatFabric said in a report shared with Hacker News.
“Besides the usual data theft, Perseus monitors the user’s notes, indicating a focus on extracting high-value personal or financial information.”
Cerberus was first documented by a Dutch mobile security company in August 2019, highlighting the malware’s misuse of the Android accessibility service to grant itself additional permissions, as well as to steal sensitive data and credentials by providing fake overlay screens. After its source code was leaked in 2020, many variants have emerged, including Alien, ERMAC, and Phoenix.
Some of the artifacts distributed by Perseus are listed below –
- Roja App Directa (com.xcvuc.ocnsxn) – Dropper
- TvTApp (com.tvtapps.live) – Perseus payload
- PolBox Tv (com.streamview.players) – Perseus payload
ThreatFabric’s analysis found that malware is growing in the Phoenix codebase, with threat actors likely relying on a large-scale language model (LLM) to aid in development. This is based on indicators such as the wide penetration of the application and the presence of emojis in the source code.
Like the recently exposed Massiv Android malware, Perseus masquerades as IPTV services to target users who want to bypass such programs on their devices to watch premium content. The malware distribution campaigns mainly targeted Turkey, Italy, Poland, Germany, France, UAE, and Portugal.
“By embedding its payload within this expected context, the Perseus malware effectively reduces user suspicion and increases infection success rates, combining malicious activity with the commonly accepted distribution model of such services,” ThreatFabric said.
Once released, Perseus works no differently than other Android malware as it launches overlay attacks and captures keystrokes to capture user input in real-time and display fake connections to financial apps and cryptocurrency services to steal information.
The malware also allows the operator to issue remote commands through the command and control panel (C2), and execute and authorize fraudulent transactions. Some of the supported commands are the following –
- scan_notesto capture content from various note-taking applications, such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote Notepad Notes, Evernote, Simple Notes Pro, Simple Notes, and Microsoft OneNote (it specifies the wrong package name “com.microsoft.onenote” instead of “com.microsoft.office.onenote”).
- start_vncto initiate a real-time visual stream of the victim’s screen.
- stop_vncto stop a remote control session.
- start_hvncconveying a schematic representation of the UI class and allowing a threat actor to interact with UI elements programmatically.
- of_hvncto stop a remote control session.
- enable_accessibility_screenshotto enable taking screenshots using the accessibility service.
- disable_accessibility_screenshotto disable taking screenshots using the accessibility service.
- open_applicationto remove the application from the block list.
- clear_blockedto clear the entire list of blocked applications.
- black_screento display a black screen overlay to hide device activity from the user.
- at nightto silence the noise.
- click_coordto perform tapping on certain screen links.
- install_from_unknownto force installation from unknown sources.
- start_appto execute the specified program.
Perseus performs an extensive local check for the presence of debuggers and analysis tools such as Frida and Xposed, and verifies if the SIM card is installed, determines the number of installed applications and that it is unusually low, and verifies the battery values to make sure it is working on a real device.
The malware then combines all this information to create a suspicious score that is sent to the C2 panel to decide on the next step and whether the operator should proceed with the data theft.
“Perseus highlights the continued evolution of Android malware, showing how modern threats are building on established families like Cerberus and Phoenix while introducing targeted improvements instead of new paradigms,” ThreatFabric said.
“Its capabilities, ranging from access-based remote control and overlay attacks to note monitoring, show a clear focus on increasing both device interactions and the amount of data collected. This balance between legacy functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development.”
