Malware News New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

Khushal

Khushal

Level 14
Thread author
Verified
Top Poster
Well-known
Apr 4, 2024
697
4,124
1,269
Content source
https://www.threatfabric.com/blogs/perseus-dto-malware-that-takes-notes
Perseus, a new Android malware, enables full device takeover via Accessibility abuse. It runs live remote sessions, steals banking credentials, and scans notes apps for sensitive data.It spreads through IPTV-style apps delivered via phishing and sideloading.

1773938783784.png

www.threatfabric.com

Perseus: DTO malware that takes notes

Perseus is a new Device Takeover (DTO) malware family that specifically looks for user-generated content stored in note taking applications.
www.threatfabric.com www.threatfabric.com
Click to expand...
 
  • Like
Reactions: Captain Awesome, Wrecker4923, rashmi and 7 others
This appears to be a report about Android malware that uses Accessibility abuse to gain broad control over the device.

What the report is describing

From the quoted summary, the main concerns are:

  • Abuse of Android Accessibility services to perform actions on behalf of the user
  • Live remote control or “device takeover” behavior
  • Theft of banking credentials
  • Searching note-taking apps for sensitive information
  • Distribution through phishing and sideloaded app packages, including fake IPTV-style apps

That attack chain is plausible and fits a common Android banking trojan pattern: social engineering, sideloading, Accessibility permission abuse, then credential theft and remote interaction.

Why Accessibility abuse is serious

If a malicious app gets Accessibility access, it can often:

  • Read on-screen content
  • Click buttons and approve prompts
  • Navigate the interface
  • Intercept or assist with overlay-based fraud
  • Reduce the victim’s ability to notice what is happening

That does not automatically mean every app requesting Accessibility is malicious, but it is a high-risk permission and should be treated very carefully.

Practical takeaway for users

For Android users, the most important defenses are straightforward:

  • Avoid installing APKs from links, messages, or unofficial app stores
  • Be especially cautious with “free streaming,” IPTV, modded, cracked, or unofficial finance-related apps
  • Review which apps have Accessibility access and revoke it for anything unnecessary
  • Keep Google Play Protect enabled
  • Use a reputable mobile security product if additional scanning is desired
  • Update Android and apps regularly
  • If banking apps are involved, monitor accounts and change credentials from a known-clean device if compromise is suspected

If infection is suspected

A safe response would usually be:

  • Disconnect the device from sensitive accounts and avoid using banking apps on it
  • Revoke Accessibility permissions for suspicious apps if possible
  • Uninstall suspicious recently installed apps
  • Run a scan with a reputable mobile security app
  • Change important passwords from a separate clean device
  • Contact the bank immediately if financial abuse is suspected
  • Consider a factory reset if the device remains unstable or heavily compromised

Bottom line

If the ThreatFabric analysis is accurate, this is a serious Android banking-style threat with unusually broad data theft goals, especially because it targets Accessibility and note-taking content. The most important message is not the malware name itself, but the delivery method: phishing plus sideloaded APKs remains one of the biggest Android risks.
 
  • Like
Reactions: Halp2001
The Bot’s summary is spot on, but I think it’s worth adding a perspective for the average user. Perseus is a wake-up call regarding how we use seemingly 'innocent' apps.

We often treat our Note apps like a digital junk drawer, sometimes leaving passwords or sensitive bank details there. You don’t need to be a tech expert to see the risk: every sensitive note we leave unprotected is like leaving a spare key on the table. If a malware like this picks it up, the access is direct and total.

Beyond the technical fixes, the best defense here is a change in habits. We need to stop using Notes as password managers and start being ruthless with the permissions we grant to 'free' apps like IPTV players. Security truly starts with our daily digital hygiene.

Thanks for sharing this, Khushal. It’s a great reminder that our most 'private' notes are only as private as the apps we allow on our phones. 📝🛡️
 
  • Like
Reactions: rashmi, Zartarra, lokamoka820 and 2 others
Executive Summary
The provided intelligence details a new Device Takeover (DTO) Android malware family named Perseus. Confirmed facts indicate the malware utilizes phishing and sideloading, specifically masquerading as IPTV-style applications, to gain initial access.

Assessment
Suggests the primary operational goal is financial fraud and data exfiltration, achieved by manipulating the user into granting Accessibility service permissions, which enables live remote sessions and credential theft.

Technical Analysis & Remediations

MITRE ATT&CK Mapping

T1626
Abuse Elevation Control Mechanism (Accessibility Services)

T1624
Screen Capture (Live remote sessions)

T1409
Access Stored Data in Notes apps

CVE Profile
Unknown [CISA KEV Status: Inactive/Unknown]. The attack chain relies on permission abuse rather than a specific software vulnerability.

Constraint
The structure suggests a standard Android Application Package (APK) delivered outside the Google Play Store, though specific binary characteristics are absent from the source.

Remediation - THE ENTERPRISE TRACK (NIST SP 800-61r3 / CSF 2.0)

GOVERN (GV) – Crisis Management & Oversight

Command
Review and enforce Mobile Device Management (MDM) policies restricting the installation of applications from unknown sources (sideloading).

DETECT (DE) – Monitoring & Analysis

Command
Query MDM telemetry for the presence of unauthorized or unvetted IPTV applications on corporate-owned devices.

RESPOND (RS) – Mitigation & Containment

Command
Isolate identified devices from the corporate network until a full forensic wipe can be performed.

RECOVER (RC) – Restoration & Trust

Command
Re-provision affected devices using a known good baseline image before restoring user access.

IDENTIFY & PROTECT (ID/PR) – The Feedback Loop

Command
Update security awareness training to explicitly cover the risks of sideloading applications and granting broad Accessibility permissions to non-standard apps.

Remediation - THE HOME USER TRACK (Safety Focus)

Priority 1: Safety

Command
Disconnect the suspected device from cellular and Wi-Fi networks immediately to sever any active remote sessions.

Command
Do not log into banking or email accounts until the device is verified clean or factory reset.

Priority 2: Identity

Command
Reset passwords for all financial institutions and any services stored in note-taking applications using a known clean device.

Priority 3: Persistence

Command
Boot the Android device into Safe Mode to prevent third-party apps from running, locate the suspicious application (e.g., the IPTV app), and uninstall it. Revoke all Accessibility permissions from unknown applications. If system instability persists, execute a factory reset.

Hardening & References

Baseline
CIS Apple iOS and Google Android Benchmarks (Focus on disabling "Install Unknown Apps" toggles).

Framework
NIST CSF 2.0 (PR.AT-1: Identity and Access Management).

Source

ThreatFabric (Primary Intelligence Provider)
Click to expand...
 
  • Like
Reactions: Halp2001 and harlan4096

You may also like...