Perseus Android Malware Evolves From Cerberus to Steal Financial Data From Notes Apps

A New Breed of Android Banking Malware

Cybersecurity researchers at ThreatFabric disclosed a new Android malware family on March 19 called Perseus — a sophisticated evolution of the Cerberus banking trojan lineage that introduces a concerning new capability: monitoring users' private note-taking apps to extract financial data. The discovery highlights how mobile malware continues to evolve beyond traditional credential theft toward more creative and invasive data exfiltration techniques.

Perseus builds on the foundations of Cerberus and Phoenix, two well-known Android banking trojans whose source code leaked publicly in 2020. Since that leak, multiple variants have emerged — Alien, ERMAC, and Phoenix among them — but Perseus represents the most capable evolution yet, combining traditional device takeover capabilities with novel intelligence-gathering techniques.

Why Notes Apps Are the New Target

The shift to monitoring note-taking applications is strategically clever. Security-conscious users have been trained to avoid entering passwords directly into suspicious apps or websites, but many of those same users store passwords, account numbers, PINs, and financial details in their phone's default notes app. Perseus exploits this behavioral gap by using Android's Accessibility Services to monitor note-taking applications in real time, scanning for patterns that match financial data.

Through accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover. The malware focuses primarily on Turkey and Italy but has been detected across multiple regions. Beyond credential theft, Perseus can intercept SMS messages for two-factor authentication codes, overlay fake login screens on legitimate banking apps, and capture screen content during sensitive transactions.

How Perseus Spreads

The delivery mechanism is also noteworthy. Attackers disguise Perseus inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are commonly distributed through phishing sites rather than the official Google Play Store, targeting users who download from unofficial sources. The dropper component can bypass Android 13 and later sideloading restrictions, which is the same dropper used to deliver the Klopatra and Medusa malware families.

Defending Against Perseus

The defense strategy is straightforward but requires discipline. Avoid downloading apps from unofficial sources, especially IPTV or streaming apps that promise free content. Review and limit Accessibility Service permissions on your device. Do not store sensitive financial information in plain text within note-taking apps — instead, use a dedicated password manager with encryption. Keep Android devices updated with the latest security patches, and consider using a mobile threat defense solution that can detect accessibility-based attacks.

Sources: The Hacker News (March 19, 2026), BleepingComputer (March 19, 2026), ThreatFabric (March 2026), The Record (March 2026)