SECURITY researchers have disclosed a new Android banking malware family named Perseus, which aims to take control of infected devices and carry out financial fraud. Perseus is built on Cerberus and Phoenix and is distributed through dropper apps on phishing sites to encourage victims to sideload them, with ThreatFabric saying the operators use Accessibility-based remote sessions for real-time monitoring and full device takeover.
Campaigns have targeted several regions, with a stated focus on Turkey and Italy, and the malware is designed to monitor user notes to extract high‑value personal or financial data, beyond traditional credential theft. The sample campaigns list Roja App Directa, TvTApp, and PolBox Tv as dropper and payload artefacts, and Perseus can be commanded remotely via a C2 panel to perform overlay attacks, capture keystrokes, and authorise fraudulent transactions.
It also performs environment checks for debuggers and analysis tools, validates SIM presence and battery status, and builds a suspicion score to decide whether to proceed with data theft, ThreatFabric noting the evolution from earlier families rather than a completely new paradigm. According to ThreatFabric, Perseus demonstrates targeted improvements in accessibility-based remote control, overlay attacks and note monitoring, blending inherited functionality with selective innovation to maximise data value.