New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Zerowl

March 19, 2026

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Cybersecurity researchers have found a new family of Android malware called Perseus that is being spread in the wild with the goal of taking over devices (DTO) and committing financial fraud. Perseus is based on Cerberus and Phoenix, but it has changed into a "more flexible and capable platform" for compromising Android devices through dropper apps that are spread through phishing sites. "Perseus not only steals traditional credentials, but also keeps an eye on user notes, which shows that they are interested in getting high-value personal or financial information.The Dutch mobile security company first reported on Cerberus in August 2019.

They talked about how the malware took advantage of Android's accessibility service to get extra permissions and steal sensitive data and credentials by showing fake overlay screens.

After its source code was leaked in 2020, many different versions have come out, such as Alien, ERMAC, and Phoenix. Here are some of the artifacts that Perseus gave out: - Roja App Directa (com.xcvuc.ocnsxn) - Dropper TVTApp (com.tvtapps.live) - Perseus payload PolBox Tv (com.streamview.players) - Perseus payload ThreatFabric's research has shown that the malware builds on the Phoenix codebase. The people behind the attack probably used a large language model (LLM) to help them make it.

The malware then puts all of this information together to come up with a general suspicion score. This score is sent to the C2 panel, which decides what to do next and whether the operator should continue stealing data.

"Perseus shows how Android malware is still changing. It shows how new threats build on old families like Cerberus and Phoenix while making targeted improvements instead of completely new ones," ThreatFabric said. Its features, which include note monitoring and accessibility-based remote control and overlay attacks, show that it is clearly focused on getting the most out of both the device and the data it collects.

This balance between using old features and adding new ones is part of a larger trend in malware development toward making it more efficient and flexible.

New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Trending News

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Coruna, DarkSword, and Democratizing Nation-State Exploit Kits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Apple Sends Lock Screen Alerts to Old iPhones About Active Web-Based Exploits

Wartime Usage of Compromised IP Cameras Highlight Their Danger

Wartime Usage of Compromised IP Cameras Highlight Their Danger

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

TeamPCP Pushes Malicious Telnyx Versions to PyPI, Hides Stealer in WAV Files

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

Hackers use phishing ZIP files to send PXA Stealer to steal money from banks and other financial institutions.

China improves the backdoor it uses to spy on telecom companies around the world.

China improves the backdoor it uses to spy on telecom companies around the world.

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Telnyx PyPI Package With 742,000 downloads Compromised in TeamPCP Supply Chain Attack

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Open VSX Bug Let Malicious VS Code Extensions Bypass Pre-Publish Security Checks

Attacks on infrastructure that have physical effects are down 25%.

Attacks on infrastructure that have physical effects are down 25%.

How mistakes can help businesses improve their security programs

How mistakes can help businesses improve their security programs