Perseus Android Malware Steals Secrets from Note-Taking Apps via Fake Streaming APKs
Perseus is a newly reported Android banking trojan distributed through fake IPTV/streaming apps sideloaded from unofficial sources, with observed targeting focused on Turkey and Italy. Researchers said the malware enables broad device compromise, including overlay attacks, credential theft, keylogging, screenshot capture, and near real-time monitoring of user activity. The malware is linked to older Android banking malware lineage, with ThreatFabric reporting that it appears to build on the Phoenix codebase derived from the leaked Cerberus family.
A notable capability is Perseus's deliberate targeting of note-taking applications such as Google Keep, Evernote, and Simple Notes to extract stored content that may include passwords, financial information, and crypto recovery phrases. The campaign uses users' familiarity with sideloading piracy-related streaming apps to reduce suspicion, and one lure cited was Roja Directa TV. Researchers also reported that the dropper can bypass Android 13+ sideloading restrictions and resembles infrastructure previously used to deliver other Android malware families, while an English-language variant showed more refined debugging and logging features, suggesting ongoing development and operational maturity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
ThreatFabric links Perseus to wider targeting and shared criminal infrastructure
ThreatFabric reported that Perseus targets more than 50 institutions across eight countries and nine cryptocurrency platforms, expanding observed activity beyond Turkey and Italy to include Poland, Germany, France, the UAE, and Portugal. The researchers also identified shared infrastructure connections with Medusa and Klopatra, suggesting broader ecosystem ties behind the malware's operations.
Media reports highlight Perseus as a newly observed note-targeting Android trojan
News coverage summarized ThreatFabric's findings and emphasized that Perseus was being actively distributed through fake streaming apps while targeting users in Turkey and Italy. The reporting also noted ThreatFabric's assessment that this was the first time it had seen Android malware specifically check personal notes for sensitive data.
ThreatFabric details Perseus anti-analysis and evasion mechanisms
The researchers said Perseus includes anti-analysis protections such as Frida and Xposed detection, root and emulator checks, and a suspicion-scoring system sent to its command-and-control panel. Operators can use this scoring to decide whether to continue activity on a compromised device.
Researchers document Perseus note-stealing and remote takeover features
ThreatFabric disclosed that Perseus abuses Android Accessibility Services for overlay attacks, keylogging, screenshot capture, and near real-time remote interaction with infected devices. The report highlighted a novel capability: scanning note-taking apps such as Google Keep, Samsung Notes, Evernote, OneNote, and similar apps for passwords, recovery phrases, and financial data.
Perseus campaigns spread via fake IPTV and streaming apps
Researchers observed Perseus primarily distributed through IPTV-themed applications and droppers from unofficial sources. The campaigns were described as strongly focused on targets in Turkey and Italy, especially banks and cryptocurrency services.
ThreatFabric identifies Perseus Android malware in active campaigns
ThreatFabric reported a new Android malware family named Perseus being actively distributed in the wild. Researchers said it evolved from the leaked Cerberus codebase and appears to build specifically on Phoenix.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Perseus Android malware evolves from Cerberus and Phoenix for device takeover | brief | SC Media
scworld.com
Open sourcePerseus Android Malware Steals User Notes and Enables Full Device Takeover
cybersecuritynews.com
Open sourceNew ‘Perseus’ Android malware checks user notes for secrets
bleepingcomputer.com
Open sourceNew Android malware hiding in streaming apps to spy on users’ personal notes | The Record from Recorded Future News
therecord.media
Open sourcePerseus: DTO malware that takes notes
threatfabric.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Android Sideloading Campaigns Spread Asin Spyware and Banking Malware via Fake Apps
Researchers reported multiple Android-focused campaigns that rely on **sideloaded apps** from fraudulent websites, social media, and messaging channels rather than exploits in official app stores. ESET identified a previously undocumented spyware family, **Asin**, distributed since early 2025 through fake sites impersonating a government news outlet, a PDF tool, and a conflict-mapping service. The apps offered decoy functionality while covertly collecting data in the background, and victims had to manually install APKs and approve permissions; samples were linked to domains including `c-pdf[.]net` and `syriadefensemap[.]com`, with activity still observed into 2026 on Xiaomi Redmi Note 13 Pro-series devices running Android 15. A separate mobile threat trend used unofficial IPTV and football streaming apps to target users seeking pirated broadcasts in Spain and Italy, especially around major matches such as the UEFA Champions League final. ThreatFabric said apps masquerading as services like RojaDirecta were used to deliver banking malware including **Massiv** and **Perseus**, sometimes hidden inside functional apps with tools such as **Zombinder**. Once installed, the malware could abuse **Accessibility Services** for credential theft, MFA bypass, remote control, and full device takeover, underscoring how attackers are exploiting user demand for news, utilities, war tracking, and free sports streams to compromise Android devices.
Jun 6, 2026
Android RAT Campaigns Use CraxsRAT, Klopatra, and SpyNote to Hijack Devices
Multiple Android malware operations have been documented using remote access trojans to seize control of victims’ phones, steal sensitive data, and support financial fraud. Reporting on **CraxsRAT** describes a malware family built to give operators broad device access, while separate research identified **Klopatra**, an Android RAT disguised as the IPTV and VPN app **“Modpro IP TV + VPN,”** infecting more than 3,000 devices in Europe and enabling hidden remote control through a black-screen VNC feature. Klopatra also supports banking overlay attacks, gesture simulation, clipboard theft, keystroke capture, and screen monitoring, allowing attackers to conduct credential theft and fraudulent transactions while the device appears inactive. A third investigation found attackers targeting high-value individuals in South Asia with Android malware built on **SpyNote**, delivered through WhatsApp under multiple app names and tied to shared command-and-control infrastructure. That malware was designed to hide itself after installation and collect location data, contacts, SMS messages, call records, device information, files, screenshots, and keystrokes, particularly when accessibility permissions were granted. Across the reported cases, the malware showed strong evasion and persistence features, including obfuscation, anti-debugging, emulator detection, and attempts to disable security tools, underscoring how modern Android RATs are being adapted for espionage, credential theft, and banking abuse.
Jun 5, 2026
BeatBanker Android Malware Campaign Impersonating Starlink and Government Apps
**Kaspersky** reported a new Android malware campaign dubbed **BeatBanker** targeting users in Brazil, distributed via phishing sites that closely mimic the *Google Play Store* and lure victims into installing trojanized APKs posing as legitimate apps such as **Starlink** and the Brazilian government services app **INSS Reembolso**. The infection chain is staged to reduce suspicion: an initial decoy app presents a fake in-app “update” flow that prompts users to grant permission to install additional apps/modules, after which the malware pulls down further payloads and requests expanded privileges. Technical reporting indicates BeatBanker blends **banking trojan** capabilities with **cryptomining** (including a modified *XMRig*), and newer variants may deploy the commodity Android RAT **BTMOB** in place of the banking module, enabling broad device takeover (e.g., keylogging, screen recording, camera access, GPS tracking, and credential capture). The malware uses evasion techniques such as decrypting and loading hidden DEX code in-memory, performing anti-analysis environment checks, delaying malicious actions post-install, and maintaining persistence by continuously playing a near-inaudible MP3 (`output8.mp3`) to keep a foreground service alive and reduce the likelihood of the process being suspended by Android power management.
Mar 21, 2026