New Android Malware, Perseus, Targets User Notes for Sensitive Data
A new Android malware family, dubbed Perseus, is actively spreading and compromising devices by scanning user note-taking applications for sensitive information, according to cybersecurity researchers. The threat, detailed in a report released around March 19, 2026, represents an evolution in device takeover (DTO) malware and highlights the growing risks associated with storing personal data in readily accessible formats.
Perseus builds upon the code of previously known Android banking trojans, including Cerberus and Phoenix, whose source code was leaked years ago. It has transformed into a more flexible platform designed for full device compromise, financial fraud, and targeted data harvesting. The malware is not available on the Google Play Store, instead spreading through fake IPTV and streaming apps distributed via phishing websites or sideloading.
Victims are often tricked into installing malicious applications disguised as legitimate media or TV streaming services, such as variants mimicking “Roja Directa TV.” Once installed, Perseus requests Accessibility Services permissions – a common tactic used by Android malware – to gain powerful control over the device. This allows for real-time monitoring and precise interaction with infected devices, particularly in regions like Turkey and Italy.
What sets Perseus apart is its “scan_notes” capability. When activated by attackers, this feature systematically detects popular note-taking applications, opens them in the background without user interaction, and extracts the content of stored notes. This capability allows the malware to target passwords, recovery phrases, and financial details often stored in plain text within these applications. Researchers at News-Nest first reported on the malware’s note-scanning functionality.
The development of Perseus demonstrates a shift in mobile malware tactics, moving beyond traditional credential theft to focus on unstructured, user-generated data. Cybersecurity News reports that the malware is spreading across Europe, the UAE, and among cryptocurrency users. The use of accessibility features for malicious purposes continues to be a significant threat to Android users, and this malware underscores the importance of cautious app installation practices and robust security measures. The Hacker News details how the malware leverages phishing apps to enable device takeover and financial fraud.
ThreatFabric’s analysis suggests that the threat actors may have utilized a large language model (LLM) during the malware’s development, based on indicators such as extensive in-app logging and the inclusion of emojis in the source code. This highlights a growing trend of cybercriminals leveraging AI tools to enhance their malicious activities.
