Perseus Android Malware: Why Your Notes App Is Now a Target for Financial Fraud
Photo by Markus Winkler on Unsplash
- Perseus, a new Android banking trojan first disclosed by ThreatFabric on March 19, 2026, is the first documented Android malware to systematically steal data from personal notes apps including Google Keep, Evernote, and Microsoft OneNote.
- Built on the leaked Cerberus (2019) and Phoenix codebases, Perseus enables full device takeover using Android Accessibility Services and has hit users across 7 countries: Turkey, Italy, Poland, Germany, France, the UAE, and Portugal.
- The malware spreads through fake IPTV streaming apps distributed via phishing sites — completely bypassing Google Play Protect, which only covers officially installed apps.
- Security researchers found strong evidence that threat actors used a large language model (LLM) to assist in writing the malware, signaling an escalating arms race between AI-powered attacks and AI-powered defenses.
What Happened
On March 19, 2026, cybersecurity firm ThreatFabric disclosed a new Android banking malware family called Perseus — and it does something no Android malware has done before. On top of the usual banking credential theft, Perseus monitors the personal notes apps on your phone.
ThreatFabric researchers identified Perseus targeting seven note-taking applications: Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes. According to ThreatFabric, this is the first time they have observed Android malware systematically reading on-device personal notes to extract sensitive data — a meaningful escalation in mobile attack tactics.
Perseus is built on the leaked source code of Cerberus, a banking trojan first documented in August 2019, and its descendant Phoenix. When Cerberus's code was leaked in 2020, it spawned at least four major malware lineages: Alien, ERMAC, Phoenix, and now Perseus — nearly seven years of continuous development and reuse from a single compromised codebase.
The malware spreads through fake IPTV streaming apps — including apps named Roja App Directa, TvTApp, and PolBox Tv — distributed through phishing sites targeting users who sideload (install apps outside the official app store) premium content. Three confirmed malicious package names are com.xcvuc.ocnsxn, com.tvtapps.live, and com.streamview.players. Active campaigns have targeted users in Turkey, Italy, Poland, Germany, France, the UAE, and Portugal, with Turkey and Italy as the primary focus regions.
Perhaps most striking: ThreatFabric analysts found strong indicators that threat actors used a large language model (LLM) to help write the malware — evidenced by extensive in-app logging and emojis embedded directly in the source code, both hallmarks of LLM-generated code.
Photo by Ethan Wilkinson on Unsplash
Why It Matters for Your Organization's Security
Understanding why Perseus is dangerous starts with what is actually stored in your notes app. Many people treat apps like Evernote, Google Keep, or Microsoft OneNote as a convenient dumping ground for sensitive information: passwords, cryptocurrency wallet seed phrases (the recovery codes that unlock a crypto wallet forever if compromised), two-factor authentication backup codes, banking PINs, and account recovery keys. In security terms, these plaintext notes have quietly become an informal credential store — and Perseus was built to exploit exactly that habit.
ThreatFabric's threat intelligence report states it plainly: "Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information." This is a logical escalation. As banks and apps have hardened their login flows with multi-factor authentication (MFA — requiring a second proof of identity beyond a password), attackers have pivoted to stealing the backup keys that bypass those defenses. Your MFA backup codes stored in a note are worth more to an attacker than your password alone.
Perseus achieves device takeover through Android Accessibility Services — a legitimate feature designed to help users with disabilities interact with their phones. By abusing this permission, the malware can read screen content, simulate taps and swipes, fill out forms, and exfiltrate data in real time, all without alerting the user. ThreatFabric describes it directly: "Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full device takeover and targeting various regions, with a strong focus on Turkey and Italy."
This technique is notoriously difficult to block without breaking legitimate assistive technology. Google Play Protect provides a layer of defense — but only for apps installed through the official Google Play Store. Perseus spreads exclusively through sideloaded apps, meaning it completely sidesteps Play Protect. This is why cybersecurity best practices consistently treat sideloading as a high-risk behavior, particularly on devices used for banking or work.
For security awareness across organizations, the AI-assisted development angle raises the stakes further. If threat actors are now using LLMs to accelerate malware development — reducing the time and skill needed to build sophisticated tools — defenders must expect faster iteration cycles and more polished attack code. The Cerberus lineage illustrates this perfectly: a codebase first seen in August 2019 is still actively evolving in 2026, with each generation adding new capabilities. Data protection on mobile devices is often an afterthought compared to endpoint security on laptops — yet employees routinely store work credentials and VPN access details in personal notes apps synced across all their devices. A single compromised personal phone can become a pivot point into corporate infrastructure, making this a business risk, not just a personal one.
The AI Angle
The disclosure of Perseus arrives at a pivotal moment for AI in cybersecurity. On the offensive side, threat actors are now demonstrably using LLMs to accelerate malware development, lowering the skill floor for building sophisticated banking trojans. On the defensive side, AI-powered threat intelligence platforms are increasingly critical for detecting these fast-evolving threats before they reach end users.
Tools like ThreatFabric's Mobile Threat Intelligence platform and Zimperium's zIPS — which uses on-device machine learning to detect anomalous app behavior in real time — are designed to catch exactly these novel malware variants, including those built on known codebases that add unexpected new capabilities like notes monitoring. Applying cybersecurity best practices at the mobile layer, not just the network perimeter, is no longer optional for any organization handling financial data.
Security teams should evaluate mobile threat defense (MTD) solutions that flag unusual Accessibility Service usage patterns and monitor for known dropper package signatures. AI-driven detection is one of the few defenses that scales with the pace of LLM-assisted malware development — matching machine-speed threats with machine-speed detection. Incident response playbooks should now explicitly include mobile device compromise scenarios, as the threat surface has clearly expanded beyond traditional endpoints.
What Should You Do? 3 Action Steps
Open Google Keep, Evernote, OneNote, Samsung Notes, and any other note-taking apps on all devices you use for banking or work. Remove any passwords, cryptocurrency seed phrases, two-factor authentication backup codes, PINs, or account recovery keys stored in plaintext. Move that information to a dedicated encrypted password manager — tools like Bitwarden, 1Password, or similar provide encrypted vaults purpose-built for credential storage. This single step closes the highest-value data exfiltration opportunity Perseus is designed to exploit and is a cornerstone of sound data protection hygiene.
Perseus spreads exclusively through sideloaded apps — apps installed from outside the Google Play Store, such as the fake IPTV apps Roja App Directa, TvTApp, and PolBox Tv. Implement a mobile device management (MDM) policy that blocks or flags sideloading on all work devices. For personal devices used to access work email, VPNs, or corporate systems (BYOD — Bring Your Own Device), include a no-sideloading clause in your acceptable use policy. Google Play Protect does not scan sideloaded APKs (Android application packages), so this policy directly eliminates Perseus's primary infection vector. Security awareness training should reinforce why sideloading pirated or streaming apps is a meaningful organizational risk, not just a personal one.
On any Android device used for work or banking, navigate to Settings > Accessibility and review which apps have been granted Accessibility Service permissions. This is the core mechanism Perseus uses to achieve device takeover. Revoke access for any app that does not have a clear, legitimate reason for needing it. Update your incident response plan to include a mobile device compromise scenario: if a device shows signs of infection (unexplained battery drain, data spikes, unknown apps, or unfamiliar Accessibility permissions), the response steps should include isolating the device, revoking its access to corporate systems, changing all credentials that may have been stored or entered on the device, and contacting your bank to flag potential unauthorized access.
Frequently Asked Questions
How does Perseus Android malware steal data from my notes app without me knowing?
Perseus abuses Android Accessibility Services — a permission originally designed for assistive technology — to silently read the screen content of note-taking apps including Google Keep, Evernote, Samsung Notes, Xiaomi Notes, ColorNote, Microsoft OneNote, and Simple Notes. Once installed through a fake IPTV app, it runs in the background, monitors these apps whenever you open them, and transmits any sensitive content it finds to the attacker's remote server. It is specifically designed to operate silently, which is why threat intelligence from ThreatFabric identifies it as the first Android malware observed systematically targeting personal notes for data extraction. Prevention — not detection after the fact — is the most effective defense.
Which note-taking apps are targeted by the Perseus banking trojan and should I stop using them?
ThreatFabric's research identifies seven targeted apps: Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes. You do not need to stop using these apps — they are legitimate and useful tools. The core problem is storing sensitive data like passwords, seed phrases, or 2FA backup codes in any notes app, regardless of brand. The cybersecurity best practices fix is straightforward: use an encrypted password manager for credentials and sensitive codes, and reserve notes apps for information you would be comfortable leaving on a sticky note on your desk.
How can I tell if my Android phone is already infected with Perseus or a similar banking trojan?
Common warning signs include unusual battery drain, unexplained spikes in mobile data usage, apps you do not recognize appearing on your device, or unfamiliar apps listed under Settings > Accessibility with permissions granted. However, Perseus is engineered to run silently, so symptoms may not be obvious. Install a reputable mobile threat defense app (Zimperium zIPS, Lookout, or similar) that uses behavioral detection rather than signature-only scanning. As part of standard security awareness, regularly audit your installed apps and Accessibility permissions — treat this as a routine hygiene check the same way you would review browser extensions on a laptop. If you suspect infection, treat it as an active incident response situation: isolate the device, revoke its access to accounts, and change credentials from a clean device.
What should small businesses do right now to protect employees from Android banking malware like Perseus?
Three foundational steps align with current cybersecurity best practices: First, deploy mobile device management (MDM) software — even basic solutions like Microsoft Intune or Jamf — to enforce no-sideloading policies and centrally manage app permissions on work devices. Second, mandate encrypted password managers for all credential storage, explicitly prohibiting the use of notes apps for passwords or sensitive codes. This is a critical data protection measure that also protects against phishing and credential stuffing attacks beyond mobile malware. Third, run regular security awareness training sessions that specifically cover mobile threats, the risks of sideloading apps from unofficial sources, and how to audit Accessibility Service permissions. Employees are both the primary attack target and the first line of defense.
Is my mobile banking app safe to use if my phone might have Perseus malware on it?
No — a device with Perseus installed should not be used for any financial transactions. Perseus conducts full device takeover via Accessibility Services, meaning it can interact with any app on the infected device in real time, including banking and cryptocurrency apps. It can capture screen content, simulate button taps, intercept credentials before transmission, and monitor everything you type. Your immediate incident response if you suspect infection should include: stopping all financial app use on that device, transferring to a clean device, changing all financial account passwords and PINs from that clean device, revoking or rotating any two-factor authentication codes that may have been stored in notes, and contacting your bank directly to flag the potential compromise and request a review of recent transactions. Data protection after a suspected compromise requires treating all credentials entered on that device as potentially stolen.
Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.
No comments:
Post a Comment