A “suspicion score” is the detail that separates Perseus from the Android banking malware that came before it.
Most malware of this type steals what it can and retreats. Perseus checks first. Before initiating any data theft, it runs a battery of environment tests — scanning for debuggers, detecting analysis tools like Frida and Xposed, confirming whether a SIM card is inserted, counting installed apps to flag unusually sparse devices, and validating battery readings to rule out emulators. Every result feeds into a single composite score, which gets transmitted to the operator’s command-and-control panel. The operator then decides whether to proceed.
That architecture reflects deliberate operational caution rather than brute force.
According to the report from mobile security firm ThreatFabric, Perseus is distributed through phishing sites disguised as IPTV services — apps that users voluntarily sideload onto their devices to access premium streaming content. By embedding its payload inside that expected context, the malware reduces suspicion at the point of installation. The same distribution model was recently observed with the Massiv Android malware.
Once active, Perseus uses Android’s Accessibility service to run remote sessions in real time, capturing keystrokes, launching overlay attacks on financial and cryptocurrency apps, and giving operators the ability to authorize fraudulent transactions directly from a remote panel. The countries targeted most heavily, the report states, are Turkey and Italy, with campaigns also reaching Poland, Germany, France, the U.A.E., and Portugal.
Built on Leaked Code, Extended by AI
Perseus traces its lineage to Cerberus, first documented by ThreatFabric in August 2019, and to Phoenix, one of several variants that emerged after Cerberus’s source code leaked in 2020. Others from that lineage include Alien and ERMAC. Researchers found that Perseus expands specifically on the Phoenix codebase — but with a notable production signal: extensive in-app logging and the presence of emojis embedded in the source code suggest the threat actors likely used a large language model to assist in development.
More Read
The note-monitoring capability sets Perseus apart from credential-focused predecessors. Beyond intercepting banking app logins, it actively monitors users’ notes applications — a targeting choice that points toward extracting high-value personal or financial information stored outside traditional financial interfaces. Passwords, seed phrases, account numbers, private addresses: the kind of data people write down and assume no one is watching.
Efficiency Over Novelty
ThreatFabric describes Perseus as evidence of a broader pattern in malware development — one where threat actors prioritize refining inherited capabilities over building entirely new ones. “Its capabilities, which range from Accessibility-based remote control and overlay attacks to note monitoring, show a clear focus on maximizing both interaction with the device and the value of the data collected,” the firm said. “This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development.”
The suspicion score mechanism, taken together with the AI-assisted development indicators and the notes-monitoring feature, puts Perseus in a different category from the commodity Android banking trojans that flood phishing campaigns. It is built to avoid researchers as deliberately as it is built to target users.
Photo by Pixabay
This article is a curated summary based on third-party sources. Source: Read the original article
