Perseus Banking Malware

Cybersecurity analysts have identified a new Android malware family known as Perseus Android malware, actively deployed in the wild to enable device takeover (DTO) and execute financial fraud. This threat represents a significant evolution in mobile malware, combining established techniques with enhanced operational flexibility.

Evolution from Proven Malware Lineages

Perseus is built upon the foundations of Cerberus malware and Phoenix Android malware, both well-known Android banking trojans. First documented in August 2019, Cerberus abused Android's accessibility services to escalate privileges, harvest sensitive data, and deploy overlay attacks for credential theft. After its source code leaked in 2020, multiple derivatives emerged, including Alien, ERMAC, and Phoenix.

Perseus extends the Phoenix codebase, evolving into a more adaptable and capable platform. Indicators such as extensive in-app logging and unusual code artifacts suggest that threat actors may have leveraged large language model (LLM) assistance during development.

Infection Vector: Social Engineering via IPTV Applications

The distribution strategy relies heavily on social engineering. Perseus is delivered through dropper applications hosted on phishing websites, often disguised as IPTV services. This approach mirrors campaigns associated with Massiv Android malware, targeting users seeking unauthorized access to premium streaming content.

By embedding malicious payloads within seemingly legitimate IPTV apps, attackers reduce user suspicion and significantly increase infection success rates. The campaign has primarily targeted users across multiple regions, including Turkey, Italy, Poland, Germany, France, the United Arab Emirates, and Portugal.

Malware Deployment Chain and Known Artifacts

Several applications have been identified as part of the Perseus distribution ecosystem:

• Roja App Directa (com.xcvuc.ocnsxn) – Dropper application
• TvTApp (com.tvtapps.live) – Primary Perseus payload
• PolBox Tv (com.streamview.players) – Secondary payload variant

These applications serve as entry points for installing the malware onto compromised devices.

Advanced Device Takeover Capabilities

Perseus leverages Android accessibility services to establish remote sessions, enabling real-time monitoring and precise interaction with infected devices. This functionality allows full device takeover, granting attackers extensive control over user activity.

Unlike traditional banking trojans, Perseus goes beyond credential harvesting by actively monitoring note-taking applications. This behavior indicates a deliberate focus on extracting high-value personal and financial information that may not be stored in conventional credential fields.

Core Attack Techniques: Overlay and Input Interception

Once active, Perseus employs well-established Android banking malware techniques. It launches overlay attacks to display fraudulent interfaces over legitimate banking and cryptocurrency applications, capturing user credentials in real time. Additionally, keystroke logging is used to intercept sensitive input data as it is entered.

Command-and-Control Operations: Remote Manipulation Framework

The malware is controlled through a command-and-control (C2) infrastructure, allowing operators to issue commands, manipulate device behavior, and authorize fraudulent transactions. Key supported commands include:

• Data extraction and surveillance (e.g., capturing notes from apps like Google Keep, Evernote, and Microsoft OneNote)
• Remote session management via VNC and HVNC for real-time or structured UI interaction
• Screenshot capture using accessibility services
• Application control, including launching apps or removing restrictions
• User deception tactics such as black screen overlays and audio muting
• Forced installation from unknown sources and simulated user interactions

This comprehensive command set enables attackers to maintain persistent and covert control over compromised devices.

Evasion Tactics and Environment Awareness

Perseus incorporates advanced anti-analysis techniques to evade detection. It performs extensive environment checks, including identifying debugging tools, verifying SIM card presence, analyzing installed application counts, and validating battery metrics to confirm execution on a real device.

The malware aggregates this data into a 'suspicion score,' which is transmitted to the C2 server. Based on this score, operators determine whether to proceed with further exploitation or remain dormant to avoid detection.

Strategic Implications: Efficiency Through Evolution

Perseus exemplifies the ongoing evolution of Android malware, where new threats are increasingly built upon existing frameworks rather than developed from scratch. By combining inherited capabilities from Cerberus and Phoenix with targeted enhancements, such as note monitoring and improved remote control, Perseus achieves a balance between efficiency and innovation.

This approach reflects a broader trend in cybercrime: the prioritization of adaptability, scalability, and high-value data extraction, making modern malware campaigns more effective and harder to detect.