New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Summary

Cybersecurity researchers have disclosed Perseus, a new Android banking malware family actively distributed via phishing sites that evolved from Cerberus and Phoenix codebases. Perseus conducts device takeover and financial fraud through accessibility-based remote sessions, with unique capabilities including monitoring notes apps to extract sensitive data, performing overlay attacks, and executing commands via C2 panels. The malware primarily targets users in Turkey, Italy, Poland, Germany, France, UAE, and Portugal by masquerading as IPTV streaming applications.

Full text

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data Ravie LakshmananMar 19, 2026Malware / Mobile Security Cybersecurity researchers have disclosed a new Android malware family called Perseus that's being actively distributed in the wild with an aim to conduct device takeover (DTO) and financial fraud. Perseus is built upon the foundations of Cerberus and Phoenix, at the same time evolving into a "more flexible and capable platform" for compromising Android devices through dropper apps distributed via phishing sites. "Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting various regions, with a strong focus on Turkey and Italy," ThreatFabric said in a report shared with The Hacker News. "Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information." Cerberus was first documented by the Dutch mobile security company in August 2019, highlighting the malware's abuse of Android's accessibility service to grant itself additional permissions, as well as steal sensitive data and credentials by serving fake overlay screens. Following the leak of its source code in 2020, multiple variants have emerged, including Alien, ERMAC, and Phoenix. Some of the artifacts distributed by Perseus are listed below - Roja App Directa (com.xcvuc.ocnsxn) - Dropper TvTApp (com.tvtapps.live) - Perseus payload PolBox Tv (com.streamview.players) - Perseus payload ThreatFabric's analysis has uncovered that the malware expands on the Phoenix codebase, with the threat actors likely relying on a large language model (LLM) to assist with the development. This is based on indicators such as extensive in-app logging and the presence of emojis in the source code. As with the recently disclosed Massiv Android malware, Perseus masquerades as IPTV services to target users who are looking to sideload such apps on their devices to watch premium content. Campaigns distributing the malware have primarily targeted Turkey, Italy, Poland, Germany, France, the U.A.E., and Portugal. "By embedding its payload within this expected context, the Perseus malware effectively reduces user suspicion and increases infection success rates, blending malicious activity with a commonly accepted distribution model for such services," ThreatFabric said. Once deployed, Perseus functions no differently from other Android banking malware in that it launches overlay attacks and captures keystrokes to intercept user input in real-time and display fake interfaces atop financial apps and cryptocurrency services to steal credentials. The malware also allows the operator to remotely issue commands via a command-and-control (C2) panel, and perform and authorize fraudulent transactions. Some of the supported commands are as follows - scan_notes, to capture contents from various note-taking apps, such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote Notepad Notes, Evernote, Simple Notes Pro, Simple Notes, and Microsoft OneNote (specifies the wrong package name "com.microsoft.onenote" instead of "com.microsoft.office.onenote"). start_vnc, to launch a near-real-time visual stream of the victim's screen. stop_vnc, to stop the remote session. start_hvnc, to transmit a structured representation of the UI hierarchy and allow the threat actor to interact with UI elements programmatically. stop_hvnc, to stop the remote session. enable_accessibility_screenshot, to enable taking screenshots using the accessibility service. disable_accessibility_screenshot, to disable taking screenshots using the accessibility service. unblock_app, to remove an application from the blocklist. clear_blocked, to clear the entire list of blocked applications. action_blackscreen, to display a black screen overlay to hide device activity from the user. nighty, to mute audio. click_coord, to perform a tap at specific screen coordinates. install_from_unknown, to force installation from unknown sources. start_app, to launch a specified application. Perseus performs a wide range of environment checks to detect the presence of debuggers and analysis tools like Frida and Xposed, as well as verify if a SIM card has been inserted, determine the number of installed apps and if it's unusually low, and validate battery values to make sure it's running in an actual device. The malware then combines all this information to formulate an overall suspicion score that's sent to the C2 panel to decide the next course of action and if the operator should proceed with data theft. "Perseus highlights the continued evolution of Android malware, demonstrating how modern threats build upon established families like Cerberus and Phoenix while introducing targeted improvements rather than entirely new paradigms," ThreatFabric said. "Its capabilities, which range from Accessibility-based remote control and overlay attacks to note monitoring, show a clear focus on maximizing both interaction with the device and the value of the data collected. This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Android, banking malware, cryptocurrency, cybersecurity, Malware, mobile security, Phishing, Threat Intelligence Trending News FortiGate Devices Exploited to Breach Networks and Steal Service Account Credentials Microsoft Patches 84 Flaws in March Patch Tuesday, Including Two Public Zero-Days Researchers Trick Perplexity's Comet AI Browser Into Phishing Scam in Under Four Minutes Critical n8n Flaws Allow Remote Code Execution and Exposure of Stored Credentials Six Android Malware Families Target Pix Payments, Banking Apps, and Crypto Wallets Apple Issues Security Updates for Older iOS Devices Targeted by Coruna WebKit Exploit ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack and More Veeam Patches 7 Critical Backup and Replication Flaws Allowing Remote Code Execution Nine CrackArmor Flaws in Linux AppArmor Enable Root Escalation, Bypass Container Isolation Google Fixes Two Chrome Zero-Days Exploited in the Wild Affecting Skia and V8 Chinese Hackers Target Southeast Asian Militaries with AppleChris and MemFun Malware Meta to Shut Down Instagram End-to-End Encrypted Chat Support Starting May 2026 Android 17 Blocks Non-Accessibility Apps from Accessibility API to Prevent Malware Abuse OpenClaw AI Agent Flaws Could Enable Prompt Injection and Data Exfiltration ⚡ Weekly Recap: Chrome 0-Days, Router Botnets, AWS Breach, Rogue AI Agents and More CISA Flags Actively Exploited Wing FTP Vulnerability Leaking Server Paths Apple Fixes WebKit Vulnerability Enabling Same-Origin Policy Bypass on iOS and macOS Popular Resources Webinar - Identify Key Attack Paths to Your Crown Jewels with CSMA Guide - Discover How to Validate AI Risks With Adversarial Testing Get the 2026 ASV Report to Benchmark Top Validation Tools Fix Security Noise by Focusing Only on Validated Exposures

Indicators of Compromise

• malware — Perseus
• malware — Cerberus
• malware — Phoenix
• malware — ERMAC
• malware — Alien
• hash_md5 — com.xcvuc.ocnsxn
• hash_md5 — com.tvtapps.live
• hash_md5 — com.streamview.players