Find notable cyber news and cases, enriched with sources, timelines, and signals.

Perseus Android malware family actively distributed in the wild

Malware Activity
First reported
Last updated
Happening score
H score 27
1 unique sources, 1 articles

Summary

Hide ▲

The Perseus Android malware family is being actively distributed in the wild, putting infected devices at risk of device takeover and financial fraud. It spreads through dropper apps on phishing sites and uses Accessibility-based remote sessions to control devices, steal credentials, and hide activity. The malware targets users in Turkey and Italy and can also monitor notes and authorize fraudulent transactions through a C2 panel.

Related Happenings

Rokarolla Android banking trojan activity

Malware Activity
H score26 First: 16.06.2026 16:15 Last: 16.06.2026 16:15 Sources 1

About this happening: The **Rokarolla** **Android banking trojan** is expanding phone-level control on infected devices, letting attackers steal credentials, intercept authentication codes, and hide fr...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...

Grandoreiro and BTMOB banking trojan activity targeting Windows and Android

Malware Activity
H score25 First: 27.05.2026 19:10 Last: 27.05.2026 19:10 Sources 1

About this happening: **BTMOB** is an **Android remote access trojan** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a builder that generates customize...

BTMOB Android RAT no-code builder malware activity

Malware Activity
H score28 First: 26.05.2026 17:00 Last: 26.05.2026 17:00 Sources 1

About this happening: **BTMOB** is an **Android RAT** sold as **malware-as-a-service** on the **clearweb** and in private **Telegram** channels, with a **no-code APK builder** that generates customized...

Latest development: 29.05.2026 00:10

BTMOB is openly advertised on the clearweb and in private Telegram channels as a malware-as-a-service (MaaS) platform with an APK builder that customizes phishing payloads without coding. The Android RAT targets users mainly in Brazil and Latin America, uses phishing sites masquerading as streaming services, cryptocurrency mining platforms, and Google Play portals, and custom lures have included an Argentinian government agency theme.

Google rolls out Android Intrusion Logging in Android Advanced Protection Mode

Security Tool/Service
H score10 First: 14.05.2026 16:30 Last: 14.05.2026 16:30 Sources 1

About this happening: Google has released **Android Intrusion Logging** for **Android Advanced Protection Mode**, giving **high-risk Android users** encrypted forensic logs to investigate suspected **s...

Timeline

  1. 19.03.2026 14:43 2 articles · 3mo ago

    Perseus Android malware disclosed with active in-the-wild distribution

    Initial Disclosure

    Cybersecurity researchers disclosed Perseus, a new Android malware family that is actively distributed in the wild for device takeover and financial fraud. The malware is built on Cerberus and Phoenix, spreads through dropper apps on phishing sites and IPTV-themed lures, and uses Accessibility-based remote sessions, overlay attacks, keystroke capture, note monitoring, and C2 commands to steal credentials and authorize fraudulent transactions. Campaigns have primarily targeted Turkey and Italy, with additional activity affecting Poland, Germany, France, the U.A.E., and Portugal.

    Show sources