Skip to main content
List Directory
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Menu
  • News
  • World
  • Business
  • Entertainment
  • Sports
  • Tech and Science
  • Health
Perseus Malware Steals Passwords & Crypto Keys from Android Notes Apps

Perseus Malware Steals Passwords & Crypto Keys from Android Notes Apps

March 20, 2026 Sarah Wu - Tech Editor Tech and Science

A new Android malware family dubbed Perseus is actively targeting users, with a particularly invasive approach: it scans personal notes applications for sensitive data like passwords and cryptocurrency recovery phrases. Unlike conventional banking trojans that focus on intercepting one-time passwords (OTPs) or keystrokes, Perseus directly accesses and analyzes user-created notes, representing a shift in mobile malware tactics. The threat was detailed in a recent report by ThreatFabric, a mobile security firm specializing in tracking mobile malware threats. ThreatFabric has a decade of data on mobile malware, and claims to have discovered 80% of Android banking malware families.

Perseus doesn’t arrive via the official Google Play Store. Instead, it’s distributed through unofficial app stores and third-party APK files, often disguised as popular streaming applications, particularly IPTV (Internet Protocol Television) apps used for accessing pirated sports broadcasts. Users who sideload applications – installing them from sources outside the official app store – are at significantly higher risk. Once installed, the malicious payload activates and begins its reconnaissance.

How Perseus Operates: Accessibility Services and Note Mining

The malware leverages Android’s Accessibility Services, a feature designed to assist users with disabilities, to gain extensive control over infected devices. Accessibility Services allow apps to observe and interact with the user interface, ostensibly to provide assistance. Perseus abuses this functionality to systematically open and scan popular note-taking applications.

Specifically, Perseus targets widely used apps like Google Keep, Samsung Notes, Evernote, and Microsoft OneNote. It also scans Xiaomi Notes, ColorNote, and Simple Notes, broadening its potential data collection reach. Within these applications, the malware reads the text content, searching for keywords and patterns indicative of valuable information – account passwords, banking details, and crucially, cryptocurrency recovery phrases (also known as seed phrases).

This approach is notable given that it focuses on data users proactively curate, rather than information passively transmitted through the system. As ThreatFabric researchers noted, Here’s one of the first documented cases of Android malware specifically designed to extract data from user-created notes. The Hacker News reported on the findings, highlighting the malware’s evolution from the Phoenix codebase.

Expanding on Existing Malware: The Phoenix Connection

Perseus isn’t a completely new creation. ThreatFabric’s analysis indicates it builds upon the codebase of previous Android banking trojans, notably Phoenix. Phoenix itself emerged following the leak of the source code for Cerberus, another notorious Android malware, in 2020. Variants like Alien and ERMAC also stemmed from the Cerberus leak. Perseus represents a further evolution, becoming a “more flexible and capable platform” for compromising Android devices.

Interestingly, researchers believe the developers of Perseus may be utilizing a large language model (LLM) to assist with development, based on extensive in-app logging and the unexpected inclusion of emojis within the source code. This suggests a potential trend of malware authors leveraging AI tools to streamline their operations and enhance their malware’s capabilities.

Geographic Focus and Target Sectors

Currently, the Perseus campaign is primarily focused on users in Turkey and Italy. The malware targets dozens of local financial institutions and cryptocurrency services within these regions. However, the sideloading-based distribution method means the potential for global spread remains a significant concern.

Before initiating its malicious activities, Perseus conducts a series of checks on the infected device, including hardware specifications, battery status, and the number of installed applications. This pre-infection assessment likely serves to avoid detection by security tools and to prioritize devices deemed “worthy” of exploitation – those with sufficient resources or a higher likelihood of containing valuable data.

Mitigation and Prevention

Security experts strongly advise against downloading applications from unofficial sources. Sticking to the official Google Play Store significantly reduces the risk of encountering malware. Google Play Protect, Google’s built-in malware scanner, provides a layer of defense, although it’s not foolproof. Users should also exercise caution when granting Accessibility Service permissions to applications, carefully considering whether the requested access is legitimate and necessary for the app’s functionality.

As reported by WIONews, the malware is being distributed through fake IPTV apps, emphasizing the risk associated with seeking out unauthorized streaming services.

Looking Ahead: Ongoing Monitoring and Adaptive Security

The emergence of Perseus underscores the evolving sophistication of Android malware. The shift towards targeting user-curated data within note-taking applications represents a novel and concerning tactic. Ongoing monitoring of malware trends, coupled with proactive security measures by both users and security vendors, will be crucial in mitigating the threat posed by Perseus and similar malware families. Further research into the potential use of LLMs in malware development is also warranted, as this could signal a significant change in the threat landscape. Security firms like ThreatFabric will continue to analyze new samples and share intelligence to support protect users from these evolving threats.

Malware “Perseus” Intai Catatan Pribadi Pengguna Android, Sasar Password hingga Frasa Kripto

Recent Posts

  • Madison Keys vs. Hanne Vandewinkel Live: French Open 2026 TV Schedule and Streaming Guide
  • Our Strict Quality Control Process for Returned Clothing
  • German Business Sentiment Shows Slight Recovery in May According to Ifo Index
  • The 2-week supplement to avoid travel tummy trouble – plus blood clots worries – The Irish Sun
  • Ukraine Achieves Major Battlefield Successes as Russian Casualties Mount

Recent Comments

No comments to show.
List Directory

List-Directory is a comprehensive directory of businesses and services across the United States. Find what you need, when you need it.

Quick Links

  • Home
  • Privacy Policy
  • Terms of Service

Browse by State

  • Alabama
  • Alaska
  • Arizona
  • Arkansas
  • California
  • Colorado

Connect With Us

Official social links will appear here when available.

List-directory.com
For contact, advertising, copyright, issues email: [email protected]

Privacy Policy Terms of Service