Cybersecurity researchers have identified a new Android malware strain called Perseus, which is actively being deployed to perform device takeover (DTO) and financial fraud. The malware is designed to compromise Android devices, steal sensitive information, and enable attackers to control infected systems remotely.
According to ThreatFabric, Perseus builds upon earlier malware families like Cerberus and Phoenix, evolving into a more advanced and flexible platform. It is primarily distributed through dropper applications hosted on phishing websites, often disguised as legitimate services.
Advanced Capabilities and Attack Techniques
Perseus leverages Android Accessibility Services to gain elevated permissions and establish remote sessions. This allows attackers to monitor and interact with infected devices in real time, effectively enabling full device takeover.
A unique aspect of this malware is its ability to monitor note-taking applications, suggesting a strong focus on extracting high-value personal and financial information that users may store in notes.
Distribution Through Fake IPTV Apps
The malware is commonly disguised as IPTV or streaming applications, tricking users into sideloading malicious apps outside official app stores. Some known samples include:
- Roja App Directa – Dropper application
- TvTApp – Malicious payload
- PolBox TV – Malicious payload
These campaigns have targeted users across Turkey, Italy, Poland, Germany, France, the UAE, and Portugal, with a particular concentration in Turkey and Italy.
Data Theft and Fraud Mechanisms
Once installed, Perseus behaves like traditional Android banking malware but with enhanced features:
- Overlay attacks to display fake login screens over banking and crypto apps
- Keystroke logging to capture user input
- Credential harvesting from financial platforms
- Real-time device monitoring and control
The malware can also execute fraudulent transactions directly from the victim’s device using remote commands.
Remote Control and Command Execution
Perseus operators can control infected devices through a command-and-control (C2) panel. Key commands include:
- Capturing data from apps like Google Keep, Samsung Notes, Evernote, and Microsoft OneNote
- Starting live screen streaming sessions
- Simulating user interactions on the device interface
- Taking screenshots via accessibility services
- Launching apps or installing unknown applications
- Displaying a black screen overlay to hide malicious activity
These features allow attackers to perform actions without the victim noticing.
Anti-Analysis and Evasion Techniques
Perseus incorporates multiple detection mechanisms to avoid analysis and sandbox environments:
- Detects debugging tools such as Frida and Xposed
- Checks for SIM card presence
- Evaluates the number of installed apps
- Monitors battery behavior to confirm real device usage
Based on these checks, the malware calculates a suspicion score, which determines whether to proceed with the attack.
Evolution of Android Threats
Researchers note that Perseus reflects a broader trend in malware development, where attackers refine existing codebases instead of building entirely new threats. There are also indications that large language models (LLMs) may have been used to assist development, as suggested by unusual logging patterns and code elements.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
