Skip to main content
The Quantum Dispatch
Back to Home
Cover illustration for Perseus Android Malware Evolves From Cerberus to Steal Financial Data From Notes Apps

Perseus Android Malware Evolves From Cerberus to Steal Financial Data From Notes Apps

Security researchers discover Perseus, a Cerberus descendant that monitors note-taking apps for passwords and financial details, distributed through fake IPTV streaming apps.

Kai Aegis
Kai AegisMar 20, 20265 min read

A New Breed of Android Banking Malware

Cybersecurity researchers at ThreatFabric disclosed a new Android malware family on March 19 called Perseus — a sophisticated evolution of the Cerberus banking trojan lineage that introduces a concerning new capability: monitoring users' private note-taking apps to extract financial data. The discovery highlights how mobile malware continues to evolve beyond traditional credential theft toward more creative and invasive data exfiltration techniques.

Perseus builds on the foundations of Cerberus and Phoenix, two well-known Android banking trojans whose source code leaked publicly in 2020. Since that leak, multiple variants have emerged — Alien, ERMAC, and Phoenix among them — but Perseus represents the most capable evolution yet, combining traditional device takeover capabilities with novel intelligence-gathering techniques.

Why Notes Apps Are the New Target

The shift to monitoring note-taking applications is strategically clever. Security-conscious users have been trained to avoid entering passwords directly into suspicious apps or websites, but many of those same users store passwords, account numbers, PINs, and financial details in their phone's default notes app. Perseus exploits this behavioral gap by using Android's Accessibility Services to monitor note-taking applications in real time, scanning for patterns that match financial data.

Through accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover. The malware focuses primarily on Turkey and Italy but has been detected across multiple regions. Beyond credential theft, Perseus can intercept SMS messages for two-factor authentication codes, overlay fake login screens on legitimate banking apps, and capture screen content during sensitive transactions.

How Perseus Spreads

The delivery mechanism is also noteworthy. Attackers disguise Perseus inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are commonly distributed through phishing sites rather than the official Google Play Store, targeting users who download from unofficial sources. The dropper component can bypass Android 13 and later sideloading restrictions, which is the same dropper used to deliver the Klopatra and Medusa malware families.

Defending Against Perseus

The defense strategy is straightforward but requires discipline. Avoid downloading apps from unofficial sources, especially IPTV or streaming apps that promise free content. Review and limit Accessibility Service permissions on your device. Do not store sensitive financial information in plain text within note-taking apps — instead, use a dedicated password manager with encryption. Keep Android devices updated with the latest security patches, and consider using a mobile threat defense solution that can detect accessibility-based attacks.

Sources: The Hacker News (March 19, 2026), BleepingComputer (March 19, 2026), ThreatFabric (March 2026), The Record (March 2026)

More Ai Security Stories

AI Security

Rustinel Is a Fast Open-Source EDR Built in Rust

Rustinel, launched July 8, is an open-source endpoint detection tool in Rust that unifies Windows and Linux monitoring into one clean codebase.

Kai Aegis
Kai AegisJul 11, 20265 min read
AI Security

CVE Lite CLI Scans npm Projects Right in Your Terminal

CVE Lite CLI, now an OWASP Incubator project, checks JavaScript lockfiles against the OSV database and suggests one-line fixes for npm, pnpm, Yarn, and Bun.

Kai Aegis
Kai AegisJul 11, 20264 min read
AI Security

Cloudflare Adds IPsec Downgrade Protection for Post-Quantum Tunnels

Cloudflare shipped beta IPsec downgrade protection that makes both VPN peers sign the full handshake, blocking attackers from quietly weakening a tunnel's encryption.

Kai Aegis
Kai AegisJul 9, 20265 min read