Perseus Android Malware Targets User Notes for Sensitive Data Theft

Perseus Android Malware Targets User Notes for Sensitive Data Theft

First seen 19 Mar 2026, 11:27 UTC ThreatfabricBleepingcomputerThecyberexpressCybersecuritynewsVoi.Id+3 86% similarity 71.5

Article Content

Browse articles
ThreatCluster

A new Android malware named Perseus has been identified, actively targeting user notes to extract sensitive information such as passwords and financial data. Distributed via unofficial app stores disguised as IPTV applications, Perseus allows complete device takeover, including screenshot capturing and overlay attacks. The malware primarily affects users in Turkey and Italy, with a focus on financial institutions and cryptocurrency services. Researchers from ThreatFabric report that Perseus is built on the Phoenix codebase, which itself is derived from the Cerberus malware. The malware features two versions: one in Turkish and a more refined English variant that includes enhanced debugging capabilities and extensive logging. Notably, Perseus uses Accessibility Services to scan various note-taking applications, marking a significant shift in malware tactics to target personal data. The malware's dropper can bypass Android 13+ sideloading restrictions, indicating a sophisticated attack vector. This campaign reflects a broader trend of malware evolving to exploit user-generated content for data theft.

Key Points: • Perseus malware targets user notes to steal sensitive information. • The malware is distributed via unofficial stores disguised as IPTV apps. • It primarily affects users in Turkey and Italy, focusing on financial institutions.

ThreatCluster AI

Timeline

2026-03-19
Perseus malware identified and reported by ThreatFabric
2026-03-19
Perseus distributed via unofficial app stores as IPTV applications
Date unknown
Perseus identified as building on Phoenix and Cerberus codebases

Community

Browse all →