A latest Android malware family, dubbed Perseus, is targeting users through popular IPTV applications, with a concerning new tactic: it’s actively searching for sensitive information stored in note-taking apps. The malware, which builds on the codebases of Cerberus and Phoenix, is capable of full device takeover and financial fraud, raising the stakes for Android security.
Researchers at ThreatFabric have identified Perseus as a sophisticated threat that goes beyond traditional credential theft. The malware specifically targets user-generated content within note applications like Google Keep, Samsung Notes, Evernote, and Microsoft OneNote, seeking passwords, cryptocurrency recovery phrases, and other financial data.
“Notes often contain sensitive information such as passwords, recovery phrases, financial data, or private thoughts, making them a prime target for cybercriminals,” explains ThreatFabric.
Malware Hidden in IPTV Apps
Perseus spreads through malicious dropper apps disguised as IPTV services – applications commonly used for streaming sports and other content. These infected apps are distributed via unofficial Android app stores, bypassing the security checks of the Google Play Store. According to researchers, this tactic leverages existing risky installation behaviors, reducing user suspicion and increasing infection rates.
Once installed, the malware requests activation of Android’s Accessibility Services. These features, designed to assist users with disabilities, are frequently exploited by malicious software. This method is similar to that used by other recent malware, such as Snowblind.
With the necessary permissions granted, Perseus can operate with a high degree of control, simulating user interactions like screen taps, swipes, and text input. It can also open or block applications, reactivate the screen, and even display a black screen to conceal its activity.
Before fully deploying, the malware gathers information about the infected device, including the model, battery level, SIM card details, installed applications, and the presence of Google Play Services. This reconnaissance helps Perseus determine if it’s running in a secure environment, such as a researcher’s honeypot.
The increasing sophistication of mobile malware highlights the need for users to be vigilant about the apps they install and the permissions they grant.
Stealing Sensitive Data
If Perseus determines it’s on a legitimate device, it begins monitoring the user’s banking, cryptocurrency, and e-commerce applications. It captures screenshots of user activity and displays fake login screens to steal credentials and two-factor authentication codes. The malware also records keystrokes, capturing passwords and other sensitive information as it’s entered.
In a departure from typical banking trojans, Perseus also scans note-taking applications for valuable data. It searches all available notes for information that could be used to steal cryptocurrency or access financial accounts. All collected data is then exfiltrated to the attacker.
With stolen banking credentials, cryptocurrency keys, and data from notes, attackers can drain accounts and compromise other online services, such as email, Facebook, and PayPal.
Perseus is capable of targeting nine cryptocurrency applications and dozens of banks, including two institutions in France, though the specific banks have not been named. The malware’s comprehensive toolkit allows it to exert significant control over an infected device as long as the malicious application remains installed and the device isn’t reset.
Protecting Your Data
Experts recommend avoiding the installation of applications from unofficial sources and sticking to trusted app stores like the Google Play Store. Crucially, users should refrain from storing sensitive information in note-taking apps. Passwords and cryptographic keys should be stored in dedicated password managers and offline wallets, respectively.
👉🏻 Stay up-to-date with the latest tech news: add 01net to your sources on Google, and subscribe to our WhatsApp channel.
Source : Threat Fabric
