In a technical analysis published by ThreatFabric, researchers said a new Android malware family named Perseus is being distributed in the wild to enable device takeover and financial fraud.
KEY FACTS
- Incident New Android banking malware called Perseus distributed via dropper apps
- Targets Primarily Turkey and Italy with activity also seen in Poland Germany France the U A E and Portugal
- Technique Uses Accessibility based remote sessions overlays and keystroke capture for device takeover
- Capabilities Scans note apps streams the screen via VNC and accepts C2 commands to perform actions
Perseus combines elements from earlier families and is deployed through dropper apps on phishing sites. Operators embed the payload in apps that pose as IPTV services to increase sideloading and reduce user suspicion.
After installation the malware requests Accessibility privileges to perform overlay attacks capture keystrokes and enable remote sessions for near real time monitoring and interaction. Operators can interact with the device visually or by transmitting a structured UI representation to act programmatically.
The report lists supported commands such as scan_notes to capture content from note apps start_vnc and start_hvnc for remote sessions click_coord to tap specific screen locations and install_from_unknown to force app installation from unknown sources. The malware can also display black screen overlays mute audio and modify a blocklist of apps.
Perseus performs environment checks for debuggers and analysis tools like Frida and Xposed verifies SIM presence and device characteristics and computes a suspicion score that is sent to the command server to decide whether to proceed with data theft or interactive sessions.
WHY IT MATTERS
Perseus enables full device takeover combined with credential and note extraction which raises the risk of unauthorized transactions identity exposure and loss of sensitive personal information.