Perseus Android malware is a newly discovered threat that goes further than most mobile banking trojans. While typical Android malware focuses on stealing login credentials or intercepting text messages, Perseus actively scans the note-taking apps on your phone, hunting for passwords, crypto wallet recovery phrases, and financial details you may have stored there for safekeeping.
What Is Perseus and Where Does It Come From?
Perseus is an Android banking trojan uncovered by mobile security firm ThreatFabric. It spreads through unofficial app stores, disguised as IPTV streaming applications. One confirmed carrier is a fake version of Roja Directa TV, a sports streaming service with a large existing user base.
That choice of disguise is deliberate. People who use IPTV apps to watch pirated sports streams are already accustomed to installing apps from outside the Google Play Store. They expect to sideload APKs, so they are far less likely to question a security warning. Over the past eight months, attackers have leaned heavily into this behaviour, using IPTV lures to distribute multiple strains of Android malware.
Perseus is not an entirely new creation. Researchers found it is built on the Phoenix codebase, which itself derives from Cerberus, a banking trojan whose source code leaked roughly six years ago. The same dropper that installs Perseus also delivers other malware families, including Klopatra and Medusa, and it can bypass the sideloading restrictions introduced in Android 13 and above.
The Feature That Makes Perseus Different
Most Android malware looks for credentials by placing fake login screens over real banking apps, intercepting SMS messages, or logging keystrokes. Perseus does all of this, but it adds something researchers say they have never seen before in Android malware. It reads your notes.
Using Android’s Accessibility Services, Perseus systematically opens note-taking apps one by one and scans their contents. The apps it targets include Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes.
The logic behind this is straightforward. Notes are where people store things they cannot remember and do not want to type every time. Crypto wallet seed phrases are a common example. So are banking PINs, email passwords, and answers to security questions. Users treat their notes app like a private vault. Perseus treats it like an unlocked filing cabinet.
How Perseus Avoids Detection
Before Perseus does anything on a device, it runs an extensive series of checks. It looks for signs that the device is a research environment rather than a real phone. It checks for root access, emulator fingerprints, SIM card details, hardware profile, battery data, Bluetooth presence, app count, and whether Google Play Services is available.
All of these data points feed into what researchers describe as a “suspicion score.” That score is sent back to the attacker’s command-and-control server. If the score is too high, the operator holds off. The malware does not act until the operator decides the device is a genuine target. This kind of human-in-the-loop decision making makes Perseus harder to catch in a controlled security environment.
Two Versions, One Built With AI Assistance
Researchers identified two distinct variants of Perseus. One is written in Turkish and targets financial institutions primarily in Turkey. The other is a more refined English-language version with a wider geographic reach, targeting banks in Italy, Poland, Germany, and France, as well as cryptocurrency services.
The English version shows clear signs of AI-assisted development. Its code contains extensive logging and emojis scattered throughout, both of which are patterns consistent with developers using AI coding tools to write or refine software. The quality of this version is noticeably higher than the Turkish one.
What Perseus Can Do Beyond Reading Notes
Perseus is a full-featured banking trojan, not just a notes scanner. Once installed, it can take complete control of the device. It captures screenshots, mounts overlay attacks by placing fake login screens on top of legitimate banking apps, and intercepts credentials as they are entered.
The dropper that delivers Perseus also allows it to persist through Android’s security restrictions. Combined with its evasion scoring system, this makes it a threat that can sit quietly on a device for some time before the operator chooses to act.
How to Protect Yourself
The most effective protection is simple: only install apps from the official Google Play Store. Perseus spreads exclusively through unofficial channels. If an app is not on Google Play, that is reason enough to be cautious.
Keep Google Play Protect active on your device. It is not infallible, but it provides a meaningful layer of defence and can flag known threats. Running a regular scan through Play Protect costs nothing and takes seconds.
Think carefully about what you store in note-taking apps. Recovery phrases for crypto wallets, banking passwords, and PINs are exactly what Perseus is looking for. A dedicated password manager with strong encryption is a much safer place to keep that kind of information.
Finally, be especially sceptical of IPTV apps from outside official stores. The promise of free live sports is precisely the hook attackers are using.
Final Thoughts
Perseus Android malware is a reminder that attackers keep looking for data in places defenders are not watching. Notes apps feel private. They sit outside the usual focus of banking security. That is exactly why they became a target.
The fact that this is the first known Android malware to scan personal notes does not mean it will be the last. The technique works, and the code behind it is already circulating. Users who store sensitive information in notes apps should treat that habit as a real risk, not a minor convenience.
Staying safe means combining sensible habits with basic security tools. Stick to official app stores, use a password manager, and keep Play Protect running.
