Cybersecurity researchers have disclosed a new Android malware family called Perseus that's being actively distributed in the wild with an aim to conduct device takeover (DTO) and financial fraud.
Perseus is built upon the foundations of Cerberus and Phoenix, at the same time evolving into a "more flexible and capable platform" for compromising Android devices through dropper apps distributed via phishing sites.
"Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting various regions, with a strong focus on Turkey and Italy," ThreatFabric said in a report shared with The Hacker News.
"Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information."
Cerberus was first documented by the Dutch mobile security company in August 2019, highlighting the malware's abuse of Android's accessibility service to grant itself additional permissions, as well as steal sensitive data and credentials by serving fake overlay screens. Following the leak of its source code in 2020, multiple variants have emerged, including Alien, ERMAC, and Phoenix.
Some of the artifacts distributed by Perseus are listed below -
- Roja App Directa (com.xcvuc.ocnsxn) - Dropper
- TvTApp (com.tvtapps.live) - Perseus payload
- PolBox Tv (com.streamview.players) - Perseus payload
ThreatFabric's analysis has uncovered that the malware expands on the Phoenix codebase, with the threat actors likely relying on a large language model (LLM) to assist with the development. This is based on indicators such as extensive in-app logging and the presence of emojis in the source code.
As with the recently disclosed Massiv Android malware, Perseus masquerades as IPTV services to target users who are looking to sideload such apps on their devices to watch premium content. Campaigns distributing the malware have primarily targeted Turkey, Italy, Poland, Germany, France, the U.A.E., and Portugal.
"By embedding its payload within this expected context, the Perseus malware effectively reduces user suspicion and increases infection success rates, blending malicious activity with a commonly accepted distribution model for such services," ThreatFabric said.
Once deployed, Perseus functions no differently from other Android banking malware in that it launches overlay attacks and captures keystrokes to intercept user input in real-time and display fake interfaces atop financial apps and cryptocurrency services to steal credentials.
The malware also allows the operator to remotely issue commands via a command-and-control (C2) panel, and perform and authorize fraudulent transactions. Some of the supported commands are as follows -
- scan_notes, to capture contents from various note-taking apps, such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote Notepad Notes, Evernote, Simple Notes Pro, Simple Notes, and Microsoft OneNote (specifies the wrong package name "com.microsoft.onenote" instead of "com.microsoft.office.onenote").
- start_vnc, to launch a near-real-time visual stream of the victim's screen.
- stop_vnc, to stop the remote session.
- start_hvnc, to transmit a structured representation of the UI hierarchy and allow the threat actor to interact with UI elements programmatically.
- stop_hvnc, to stop the remote session.
- enable_accessibility_screenshot, to enable taking screenshots using the accessibility service.
- disable_accessibility_screenshot, to disable taking screenshots using the accessibility service.
- unblock_app, to remove an application from the blocklist.
- clear_blocked, to clear the entire list of blocked applications.
- action_blackscreen, to display a black screen overlay to hide device activity from the user.
- nighty, to mute audio.
- click_coord, to perform a tap at specific screen coordinates.
- install_from_unknown, to force installation from unknown sources.
- start_app, to launch a specified application.
Perseus performs a wide range of environment checks to detect the presence of debuggers and analysis tools like Frida and Xposed, as well as verify if a SIM card has been inserted, determine the number of installed apps and if it's unusually low, and validate battery values to make sure it's running in an actual device.
The malware then combines all this information to formulate an overall suspicion score that's sent to the C2 panel to decide the next course of action and if the operator should proceed with data theft.
"Perseus highlights the continued evolution of Android malware, demonstrating how modern threats build upon established families like Cerberus and Phoenix while introducing targeted improvements rather than entirely new paradigms," ThreatFabric said.
"Its capabilities, which range from Accessibility-based remote control and overlay attacks to note monitoring, show a clear focus on maximizing both interaction with the device and the value of the data collected. This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development."
