Cybersecurity researchers have identified a sophisticated new Android malware family, dubbed Perseus, which is actively being distributed to execute device takeover (DTO) and financial fraud. This malware represents a significant evolution, built upon the codebases of the notorious Cerberus and Phoenix banking trojans. It has matured into a "more flexible and capable platform" for compromising devices, primarily spread through dropper applications hosted on phishing websites. The malware's operators leverage remote sessions via Android's Accessibility services to monitor and interact with infected devices in real-time, enabling complete control. Its campaigns have shown a particular geographical focus, heavily targeting users in Turkey and Italy, with additional victims in Poland, Germany, France, the United Arab Emirates, and Portugal.
Perseus distinguishes itself by expanding its data theft capabilities beyond traditional banking credentials. While it retains the core functionality of stealing login details through overlay attacks, a novel and concerning feature is its active monitoring of user notes applications. This indicates a strategic shift by threat actors to capture high-value personal or financial information that users may casually jot down, such as PINs, security answers, or cryptocurrency wallet phrases. The malware's infrastructure and codebase analysis suggest it is a direct descendant of the Phoenix malware, with evidence pointing to the possible use of large language models (LLMs) by its developers to assist in coding, as indicated by extensive in-app logging and the unusual presence of emojis within the source code.
The distribution method for Perseus capitalizes on popular demand for illicit streaming content. Similar to other recent threats like the Massiv malware, Perseus masquerades as a legitimate IPTV (Internet Protocol Television) application. It targets users seeking to sideload apps to access premium TV channels and movies without subscriptions. By embedding its malicious payload within this desirable and expected software package, the dropper successfully bypasses initial user suspicion. Once installed, the malware abuses Accessibility permissions to stealthily install the full banking trojan payload, granting attackers remote control over the device.
The lineage of Perseus traces back to the Cerberus banking trojan, first documented in 2019 for its abuse of Android's Accessibility service to hijack devices and steal data. Following the public leak of Cerberus's source code in 2020, a proliferation of variants emerged, including Alien, ERMAC, and Phoenix. Perseus is the latest and most advanced iteration in this family, showcasing how cybercriminals continuously refine and hybridize malicious code. Its emergence underscores the persistent threat of mobile banking malware and the need for users to exercise extreme caution, avoiding downloads from unofficial sources and scrutinizing app permissions, especially those requesting Accessibility access.
