Perseus Android Banking Malware Leveraging Accessibility Services for Real-Time Device Takeover and Note Monitoring

Timeline

1. 19.03.2026 14:43 1 articles · 3h ago

   Perseus Android Banking Malware Deployed with Note Monitoring and Real-Time Device Takeover Capabilities

   A new Android malware family, Perseus, has been deployed in the wild with capabilities that enable real-time device takeover and targeted extraction of sensitive data from note-taking applications. The malware leverages Accessibility Service abuse for granular interaction with infected devices, including commands for VNC-like screen streaming, hierarchical UI manipulation, and keystroke interception. Perseus monitors note-taking apps such as Google Keep, Samsung Notes, and Microsoft OneNote, expanding traditional credential theft tactics. Campaigns primarily target regions including Turkey and Italy, with distribution facilitated via IPTV-themed dropper apps hosted on phishing sites to lower user suspicion.

   Show sources

   • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

   Open in new tab

Information Snippets

• Perseus is distributed via dropper apps hosted on phishing sites, masquerading as IPTV services to reduce user suspicion and increase infection success rates.

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• The malware abuses Android's Accessibility Service to grant itself permissions, enabling real-time monitoring, keystroke interception, and fake overlay screens on financial and cryptocurrency apps.

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• Perseus includes commands to scan contents from note-taking apps such as Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Simple Notes, and Microsoft OneNote (incorrect package name used).

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• Remote control capabilities include launching near-real-time VNC sessions (start_vnc, stop_vnc), hierarchical UI interaction (start_hvnc, stop_hvnc), and screen capture via accessibility service (enable_accessibility_screenshot).

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• The malware performs extensive environment checks to detect debuggers (Frida, Xposed), verify SIM card presence, assess installed app count, and validate battery values to confirm device operation.

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• Perseus calculates a suspicion score based on collected telemetry before proceeding with data theft, indicating adaptive evasion tactics.

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43

• Threat actors reportedly used a large language model (LLM) to assist in development, as indicated by extensive in-app logging and presence of emojis in source code.

  First reported: 19.03.2026 14:43
  1 source, 1 article
  Show sources

  • New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data — thehackernews.com — 19.03.2026 14:43