Perseus
Perseus is an Android banking trojan actively distributed in the wild and designed for device takeover and financial fraud. Reporting states it is built on leaked Cerberus source code and draws from the Phoenix codebase. ThreatFabric named the malware from the command-and-control login panel and identified at least two branches, including an English-language version with extensive debugging features and a more discreet Turkish-language version.
Perseus is distributed primarily through fake IPTV and television streaming applications, including unofficial streaming apps delivered via phishing sites and sideloaded APKs outside Google Play. Campaigns observed in Spain and Italy also linked Perseus to malicious RojaDirecta-themed streaming apps, and attackers have used droppers, including one described as bypassing Android 13+ installation restrictions. The infection chain relies on social engineering and user sideloading rather than exploitation of software vulnerabilities.
Once installed, Perseus abuses Android Accessibility Services to monitor the screen in real time, intercept user input, simulate touch interactions, and support remote control and full device takeover. Documented capabilities include overlay attacks against banking and cryptocurrency applications, fake login screens for credential harvesting, keylogging, interception of one-time codes, and fraud-enabling remote interaction with the device.
A notable capability is silent harvesting of data from note-taking applications. Perseus includes a command described as scan_notes to identify installed note apps and autonomously read their contents via Accessibility Services. Reported targeted apps include Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, Simple Notes Pro, and Simple Notes. Researchers state the malware seeks passwords, financial details, and cryptocurrency recovery phrases stored in notes, then logs and forwards the extracted content to command-and-control infrastructure.
ThreatFabric reported that Perseus campaigns primarily target users in Turkey and Italy, with additional activity affecting Poland, Germany, France, the United Arab Emirates, and Portugal. The malware was reported to target more than 50 institutions across eight countries and nine cryptocurrency platforms. Shared infrastructure was also observed with Medusa and Klopatra. High-confidence behaviors and targeting described in the source material center on Android users, especially those lured into sideloading unofficial streaming/IPTV apps.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Techniques & procedures
13 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniquePerseus is distributed through dropper apps found on phishing sites, masquerading as IPTV services to trick users into sideloading them.
Execution
2 techniquesThreat actors distribute it through fake IPTV applications, a tactic that sidesteps the Google Play Store by exploiting users’ familiarity with sideloading APK files.
Users typically encounter them on websites or ads and are asked to download and install them manually... By doing so, users: Bypass protections designed to screen apps for malicious behaviour.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
1 techniqueour MTI research team observed a clear increase in unofficial IPTV apps containing malware, notably apps masquerading as RojaDirecta apps for Android.
Credential Access
4 techniquesIt can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.
Malware has gained more sophisticated capabilities, including full Device Takeover (DTO), credential theft (using overlays and keylogging)
Perseus... even reads note-taking apps for saved passwords and crypto recovery phrases.
It can... intercept the one-time codes from text messages and login apps that are meant to keep accounts safe.
Collection
4 techniquesNotably, Perseus also monitors user notes from various applications, aiming to extract high-value personal or financial information.
It can lay fake bank login screens over real apps, record what the owner types, intercept the one-time codes from text messages and login apps that are meant to keep accounts safe, and control the screen from afar.
Malware has gained more sophisticated capabilities, including full Device Takeover (DTO), credential theft (using overlays and keylogging)
It moves through individual notes, triggers tap actions to open entries, captures the text, then performs a back-navigation action before moving to the next.
Command and Control
1 techniqueExfiltration
1 techniqueAll captured note data is logged and forwarded to the attacker’s command-and-control server alongside other stolen credentials and device information.
IOCs tracked for this family
4 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Android banking trojan delivered via unofficial streaming apps; uses Android accessibility abuse to overlay fake bank logins, capture keystrokes, intercept one-time codes, remotely control the device, and read note-taking apps for saved passwords and crypto recovery phrases.
Android malware used for device takeover and financial fraud. It is distributed via dropper apps on phishing sites posing as IPTV services, abuses Android accessibility services, performs overlay attacks, captures keystrokes, steals credentials from financial and cryptocurrency apps, and monitors user notes to extract valuable personal or financial information.
Android banking trojan that steals credentials, performs overlay attacks and keylogging, enables remote control and full device takeover, monitors devices in real time, and can silently read data from note-taking applications to capture sensitive information such as passwords and cryptocurrency recovery phrases.
Android malware targeting users in Turkey and Italy to conduct device takeover and financial fraud.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.