Ethical Hacking News
A new type of Android malware, Perseus, has been discovered, which targets user-curated notes to steal sensitive information such as passwords, financial details, and private thoughts. Distributed through unofficial stores disguised as IPTV apps, Perseus bypasses sideloading restrictions and utilizes Accessibility Services to scan personal notes for valuable data.
The Perseus Android malware targets financial institutions in Turkey and Italy, as well as crypto services. The malware was distributed through unofficial stores disguised as IPTV apps to take advantage of users seeking free streaming options. Perseus has a history of collaboration with other malicious actors in the Android ecosystem. The malware builds on the Phoenix codebase and includes AI-powered development techniques, such as extensive logging and debugging. Perseus specifically targets user-curated notes on Android devices to steal sensitive information like passwords and financial details. Users are recommended to avoid sideloading APKs from questionable sources and ensure Play Protect is active to prevent similar attacks.
In a recent development that has sent shockwaves through the cybersecurity community, researchers at ThreatFabric have discovered a new Android malware known as "Perseus" that is specifically designed to steal sensitive information stored in user-curated notes on their devices. The malware, which has been identified as a sophisticated threat actor, has been found to target financial institutions in Turkey and Italy, as well as crypto services.
According to the researchers, Perseus was distributed through unofficial stores disguised as IPTV apps, which are often used to stream pirated content. This tactic is designed to take advantage of users who seek free or low-cost ways to access live sports broadcasts. The malware's distribution strategy relies on the user's familiarity with sideloading APKs from outside the Google Play store and ignoring security warnings.
The dropper app for Perseus, which can bypass Android 13+ sideloading restrictions, is also the same one used for delivering the Klopatra and Medusa malware. This indicates that the malware has a history of collaboration with other malicious actors in the Android ecosystem.
Perseus appears to build specifically on the Phoenix codebase, which was created from the Cerberus code leaked almost six years ago. The malware has two versions, one in Turkish and a more refined version in English, which also features better debugging and additional quality-of-life features.
The researchers note that the English variant of Perseus includes extensive logging and emojis in the code, suggesting that AI tools were used in its development process. This is significant because it highlights the increasing sophistication of Android malware families and their ability to leverage advanced techniques such as machine learning and natural language processing.
Perseus's most unusual feature targets Android note-taking apps, including Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes. The malware uses Accessibility Services to systematically open the notes apps one by one and scan individual notes stored in them. This indicates that Perseus is particularly interested in accessing sensitive information contained within personal notes.
"Notes often contain sensitive information such as passwords, recovery phrases, financial details, or private thoughts, making them a valuable target for attackers," according to ThreatFabric researchers. "While many Android malware families focus primarily on harvesting credentials or intercepting communications, this feature reflects a broader interest in contextual and personally curated data."
The malware's English version performs extensive anti-analysis and evasion checks before executing on a device, including root, emulator fingerprints, SIM details, hardware profile, battery data, Bluetooth presence, app count, and Google Play Services availability. Based on these checks, the operator decides whether to proceed with data theft.
To minimize risk, Android users are recommended to avoid sideloading APKs from questionable sources and to only download legal streaming apps from the official Android app store, Google Play. Additionally, ensuring that Play Protect is active and using it to regularly scan the device for known threats can help prevent Perseus-style attacks.
In conclusion, the discovery of Perseus highlights the evolving landscape of Android malware, with new threats leveraging sophisticated techniques such as AI-powered development and contextual data extraction. As users become increasingly reliant on personal notes for sensitive information, it is crucial that they exercise caution when sideloading apps and maintaining device security.
Related Information:
https://www.ethicalhackingnews.com/articles/New-Android-Malware-Exposed-Perseus-Steals-User-Secrets-from-Note-Taking-Apps-ehn.shtml
https://www.bleepingcomputer.com/news/security/new-perseus-android-malware-checks-user-notes-for-secrets/
https://malware.news/t/perseus-dto-malware-that-takes-notes/105127
https://www.cleafy.com/cleafy-labs/klopatra-exposing-a-new-android-banking-trojan-operation-with-roots-in-turkey
https://thehackernews.com/2025/10/new-android-banking-trojan-klopatra.html
https://securityaffairs.com/188460/apt/lazarus-apt-group-deployed-medusa-ransomware-against-middle-east-target.html
https://thehackernews.com/2026/02/lazarus-group-uses-medusa-ransomware-in.html
https://www.anomali.com/blog/weekly-threat-briefing-data-breach-apt-group-cerberus-malware-and-more
https://security.muni.cz/en/articles/hacker-elites-how-the-most-dangerous-apt-groups-operate
https://www.phx2600.org/
https://www.socinvestigation.com/comprehensive-list-of-apt-threat-groups-motives-and-attack-methods/
Published: Thu Mar 19 07:31:11 2026 by llama3.2 3B Q4_K_M
