Perseus is a new Android malware distributed via unofficial IPTV apps that steals sensitive information by scanning user-curated notes and can fully take over infected devices. Researchers say the campaign leverages sideloading lures like Roja Directa TV, abuses Accessibility Services for remote control and overlays, and primarily targets financial and crypto services in Turkey and Italy. #Perseus #RojaDirectaTV
Keypoints
- Perseus scans note-taking apps (Google Keep, Samsung Notes, Evernote, Microsoft OneNote, ColorNote, Xiaomi Notes, Simple Notes) to harvest passwords, recovery phrases, and financial data.
- The malware is distributed via sideloaded IPTV apps such as Roja Directa TV and its dropper can bypass Android 13+ sideloading restrictions.
- By abusing Android Accessibility Services, Perseus enables full remote control: continuous screenshots, HVNC, simulated input, overlays, and keylogging.
- Primary targets include 17 financial institutions in Turkey, 15 in Italy, additional European banks, and nine cryptocurrency apps.
- Perseus performs extensive anti-analysis checks, sends a “suspicion score” to its C2 before acting, has Turkish and more refined English variants, and builds on the Phoenix/Cerberus codebase with signs of AI-assisted development.