Perseus Malware Steals Passwords & Crypto Keys from Android Notes Apps
A new Android malware family dubbed Perseus is actively targeting users, with a particularly invasive approach: it scans personal notes applications for sensitive data like passwords and cryptocurrency recovery phrases. Unlike conventional banking trojans that focus on intercepting one-time passwords (OTPs) or keystrokes, Perseus directly accesses and analyzes user-created notes, representing a shift in mobile malware tactics. The threat was detailed in a recent report by ThreatFabric, a mobile security firm specializing in tracking mobile malware threats. ThreatFabric has a decade of data on mobile malware, and claims to have discovered 80% of Android banking malware families.
Perseus doesn’t arrive via the official Google Play Store. Instead, it’s distributed through unofficial app stores and third-party APK files, often disguised as popular streaming applications, particularly IPTV (Internet Protocol Television) apps used for accessing pirated sports broadcasts. Users who sideload applications – installing them from sources outside the official app store – are at significantly higher risk. Once installed, the malicious payload activates and begins its reconnaissance.
How Perseus Operates: Accessibility Services and Note Mining
The malware leverages Android’s Accessibility Services, a feature designed to assist users with disabilities, to gain extensive control over infected devices. Accessibility Services allow apps to observe and interact with the user interface, ostensibly to provide assistance. Perseus abuses this functionality to systematically open and scan popular note-taking applications.
Specifically, Perseus targets widely used apps like Google Keep, Samsung Notes, Evernote, and Microsoft OneNote. It also scans Xiaomi Notes, ColorNote, and Simple Notes, broadening its potential data collection reach. Within these applications, the malware reads the text content, searching for keywords and patterns indicative of valuable information – account passwords, banking details, and crucially, cryptocurrency recovery phrases (also known as seed phrases).
This approach is notable given that it focuses on data users proactively curate, rather than information passively transmitted through the system. As ThreatFabric researchers noted, Here’s one of the first documented cases of Android malware specifically designed to extract data from user-created notes. The Hacker News reported on the findings, highlighting the malware’s evolution from the Phoenix codebase.
Expanding on Existing Malware: The Phoenix Connection
Perseus isn’t a completely new creation. ThreatFabric’s analysis indicates it builds upon the codebase of previous Android banking trojans, notably Phoenix. Phoenix itself emerged following the leak of the source code for Cerberus, another notorious Android malware, in 2020. Variants like Alien and ERMAC also stemmed from the Cerberus leak. Perseus represents a further evolution, becoming a “more flexible and capable platform” for compromising Android devices.
Interestingly, researchers believe the developers of Perseus may be utilizing a large language model (LLM) to assist with development, based on extensive in-app logging and the unexpected inclusion of emojis within the source code. This suggests a potential trend of malware authors leveraging AI tools to streamline their operations and enhance their malware’s capabilities.
Geographic Focus and Target Sectors
Currently, the Perseus campaign is primarily focused on users in Turkey and Italy. The malware targets dozens of local financial institutions and cryptocurrency services within these regions. However, the sideloading-based distribution method means the potential for global spread remains a significant concern.
Before initiating its malicious activities, Perseus conducts a series of checks on the infected device, including hardware specifications, battery status, and the number of installed applications. This pre-infection assessment likely serves to avoid detection by security tools and to prioritize devices deemed “worthy” of exploitation – those with sufficient resources or a higher likelihood of containing valuable data.
Mitigation and Prevention
Security experts strongly advise against downloading applications from unofficial sources. Sticking to the official Google Play Store significantly reduces the risk of encountering malware. Google Play Protect, Google’s built-in malware scanner, provides a layer of defense, although it’s not foolproof. Users should also exercise caution when granting Accessibility Service permissions to applications, carefully considering whether the requested access is legitimate and necessary for the app’s functionality.
As reported by WIONews, the malware is being distributed through fake IPTV apps, emphasizing the risk associated with seeking out unauthorized streaming services.
Looking Ahead: Ongoing Monitoring and Adaptive Security
The emergence of Perseus underscores the evolving sophistication of Android malware. The shift towards targeting user-curated data within note-taking applications represents a novel and concerning tactic. Ongoing monitoring of malware trends, coupled with proactive security measures by both users and security vendors, will be crucial in mitigating the threat posed by Perseus and similar malware families. Further research into the potential use of LLMs in malware development is also warranted, as this could signal a significant change in the threat landscape. Security firms like ThreatFabric will continue to analyze new samples and share intelligence to support protect users from these evolving threats.