New Android Malware 'Perseus' Steals Secrets from User Notes

Post Views: 101

A newly discovered Android malware, dubbed Perseus, has been found to target users’ personal notes in search of sensitive information.

This malicious software is primarily distributed through unofficial app stores, masquerading as IPTV apps that offer pirated content. By doing so, the threat actors behind Perseus exploit users’ willingness to sideload APKs from outside the Google Play store, often ignoring security warnings in the process.

Capabilities of Perseus

Perseus is capable of completely taking over an infected device, capturing screenshots, and conducting overlay attacks. The malware has been found to target financial institutions in Turkey and Italy, as well as cryptocurrency services.

Two versions of Perseus

Researchers at ThreatFabric, a mobile security company, have identified two versions of the malware: one in Turkish and a more refined English version with enhanced debugging capabilities and quality-of-life features.

The English variant of Perseus features extensive logging and emojis in the code, suggesting the use of AI tools in its development.

Targeted Institutions

The malware’s focus on Turkey is evident in the list of targeted financial institutions, with 17 organizations in the country affected, followed by Italy with 15, Poland with 5, Germany with 3, and France with 2. Additionally, Perseus targets 9 cryptocurrency apps.

Abusing Android Accessibility Services

By abusing Android Accessibility Services, Perseus grants its operators full remote control over infected devices, enabling them to capture screenshots, simulate UI interactions, and launch overlay attacks.

The malware also features a unique capability: it checks users’ note-taking apps, including Google Keep, Xiaomi Notes, and Samsung Notes, for sensitive information such as passwords, recovery phrases, and financial details.

This feature reflects a broader interest in contextual and personally curated data, as notes often contain valuable information that can be exploited by attackers.

Anti-Analysis and Evasion Checks

Before executing on a device, Perseus performs extensive anti-analysis and evasion checks, including root detection, emulator fingerprints, and SIM details. The malware formulates a suspicion score based on these checks, which is then sent to the command-and-control panel.

The operator can then decide whether to proceed with data theft based on this score.

Prevention

To minimize the risk of infection, Android users are advised to exercise caution when sideloading apps from outside the Google Play store and to be wary of unofficial IPTV apps that may be used as a lure for malware distribution.