Cybersecurity researchers have uncovered a new Android malware family called Perseus that is actively distributed for device takeover (DTO) and financial fraud.
Perseus builds on the foundations of Cerberus and Phoenix while evolving into a “more flexible and capable platform” for compromising Android devices through dropper apps distributed via phishing sites.
“Through accessibility-based remote sessions, this malware enables real-time monitoring and precise interaction with infected devices, allowing for entire device hijacking and targeting various regions with a focus on Turkey and Italy,” ThreatFabric said in a report shared with The Hacker News.
“Beyond traditional credential theft, we see Perseus monitoring users’ notes and focusing on extracting high-value personal and financial information.”
Cerberus was first documented by a Dutch mobile security company in August 2019, highlighting that the malware exploits Android’s accessibility services to grant itself additional privileges and provide fake overlay screens to steal sensitive data and credentials. After the source code was leaked in 2020, multiple variants emerged including Alien, ERMAC, and Phoenix.
Some of the artifacts distributed by Perseus are listed below.
Roja App Directa (com.xcvuc.ocnsxn) – Dropper TvTApp (com.tvtapps.live) – Perseus payload PolBox Tv (com.streamview.players) – Perseus payload
ThreatFabric’s analysis found that the malware extends the Phoenix codebase, and the attackers likely rely on large-scale language models (LLMs) to aid development. This is based on indicators such as extensive in-app logs and the presence of emojis in the source code.
Similar to the recently released Massiv Android malware, Perseus disguises itself as an IPTV service and targets users looking to sideload such apps onto their devices in order to watch premium content. This malware distribution campaign primarily targets Turkey, Italy, Poland, Germany, France, UAE, and Portugal.
“By embedding its payload within this expected context, the Perseus malware effectively reduces user suspicion, increases infection success rates, and blends its malicious activity with the commonly accepted distribution model for such services,” ThreatFabric said.
Once deployed, Perseus functions no different from other Android banking malware in that it launches overlay attacks, captures keystrokes and intercepts user input in real-time, and displays fake interfaces on financial apps and cryptocurrency services to steal credentials.
The malware also allows operators to remotely issue commands through a command and control (C2) panel to execute and authorize fraudulent transactions. Some of the supported commands are:
scan_notes captures content from various note-taking apps such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote Notepad Notes, Evernote, Simple Notes Pro, Simple Notes, Microsoft OneNote (specifies the incorrect package name “com.microsoft.onenote” instead of “com.microsoft.office.onenote”). start_vnc, launches a near real-time visual stream of the victim’s screen. stop_vnc, stops a remote session. start_hvnc sends a structured representation of the UI hierarchy and allows threat actors to programmatically interact with UI elements. stop_hvnc, stops a remote session. Enable_accessibility_screenshot, Enables taking screenshots using accessibility services. disable_accessibility_screenshot, disables taking screenshots using accessibility services. unblock_app, removes an application from the block list. clear_blocked, clears the entire list of blocked applications. action_blackscreen displays a black screen overlay to hide device activity from the user. nighty, mute the audio. click_coord, performs a tap at specific screen coordinates. install_from_unknown, forces installation from unknown sources. start_app, starts the specified application.
Perseus performs a wide range of environmental checks to detect the presence of debuggers and analysis tools such as Frida and Xused, as well as check if a SIM card is inserted, check how many apps are installed and if they are unusually low, and verify battery values to ensure they are running on a real device.
The malware then combines all this information to create an overall suspicion score and sends it to the C2 panel to determine the next course of action and whether the operator should continue with the data theft.
“Perseus highlights the continued evolution of Android malware, showing how modern threats are building on established families like Cerberus and Phoenix while introducing targeted improvements rather than completely new paradigms,” ThreatFabric said.
“While its capabilities range from accessibility-based remote control and overlay attacks to note monitoring, it is clearly focused on maximizing both the interaction with the device and the value of the data collected. This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development.”
Source link
