Back to News
Cyber Attack

Android Banking Malware Perseus Takes Full Phone Control & Steals Banking Secrets – Millions at Risk

CyberSecurityWaala 2 months ago Mar 19, 2026
Android Banking Malware Perseus Takes Full Phone Control & Steals Banking Secrets – Millions at Risk

Security researchers at ThreatFabric disclosed a new Android banking malware family called Perseus. The malware is active in the wild. Its goals are device takeover and financial fraud.

Perseus builds on earlier families such as Cerberus and Phoenix, and evolves them with new capabilities. ThreatFabric said the result is a “more flexible and capable platform” for compromising Android devices. The company shared technical details with The Hacker News.

What Perseus does

Perseus uses Android Accessibility Services to gain broad control of infected devices. That allows operators to interact with apps, capture screens, and inject input. ThreatFabric said, “Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting various regions, with a strong focus on Turkey and Italy.”

The operators use a dropper app to install the malicious payload. The dropper is distributed from phishing and unofficial app sites that advertise IPTV and sports streaming. ThreatFabric found the campaigns mainly target Turkey, Italy, Poland, Germany, France, the U.A.E., and Portugal.

Why this is notable

Perseus adds a striking new capability. It scans user-curated notes inside popular note apps. ThreatFabric highlighted that the malware looks inside Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and several Simple Notes variants. As ThreatFabric noted, “Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information.”

Notes can contain recovery phrases, passwords, and other sensitive data. That makes the addition of note-scanning a clear shift toward harvesting contextually valuable material as well as bank credentials.

Technical breakdown

ThreatFabric’s analysis outlines multiple capabilities and evasion checks. Key features include:

  • Overlay attacks and keylogging to steal credentials and intercept input in real time.
  • Accessibility VNC via commands start_vnc and stop_vnc to stream the device screen nearly in real time.
  • HVNC via start_hvnc and stop_hvnc to transmit a structured UI hierarchy for programmatic interaction.
  • Note extraction via a scan_notes command that targets multiple note apps.
  • App control commands such as install_from_unknown, start_app, unblock_app, clear_blocked and action_blackscreen to hide activity.
  • Utility commands like click_coord for taps, nighty to mute audio, and enable_accessibility_screenshot for screenshots.

ThreatFabric listed example artifacts and package names used by the campaign. Those include a dropper labeled Roja App Directa with package com.xcvuc.ocnsxn and Perseus payloads disguised as TvTApp com.tvtapps.live and PolBox Tv com.streamview.players.

Perseus performs extensive environment checks before acting. It looks for debuggers and analysis tools such as Frida and Xposed. It checks SIM presence, app count, battery values, Bluetooth, hardware fingerprints, and Google Play Services. The malware combines these signals into a suspicion score. ThreatFabric said that score is sent to the command and control panel to decide whether to proceed with theft.

The researchers also observed signs the threat actors used modern development aids. The Phoenix-derived code includes extensive in-app logging and emoji markers in the source. ThreatFabric said those indicators suggest the operators may have relied on a large language model during development.

Who is affected and the impact

ThreatFabric reported that Perseus targets financial institutions and crypto apps, with a strong focus on Turkey and Italy. The company counted 17 Turkish banks and 15 Italian financial targets in the samples it analyzed, plus multiple crypto services. Operators can use Perseus to authorize fraudulent transactions and to harvest credentials and recovery phrases for account takeover.

Perseus is distributed by lures that fit user expectations. ThreatFabric explained that by embedding the payload in popular IPTV-style apps “the malware effectively reduces user suspicion and increases infection success rates.” That means users who sideload APKs to watch premium content are at heightened risk.

What to do now

Mobile security experts and vendors including ThreatFabric recommend basic hardening steps. Avoid sideloading APKs from unofficial stores. Download apps only from Google Play when possible. Keep Play Protect active and run regular scans. If you suspect compromise, disconnect the device and seek professional help from your bank and a mobile security provider.

Perseus shows how Android banking malware continues to evolve. It mixes tried and tested techniques with targeted new features. The result is a more adaptable and efficient platform for theft and fraud.

#androidmalware #mobilesecurity #bankingtrojan #threatfabric #cybersecurity

#Android #Data Exfiltration #Malware