Cybersecurity researchers have identified a new Android malware family, named “Perseus,” that is being distributed in the wild with capabilities aimed at device takeover and financial exploitation. According to findings shared by ThreatFabric, the malware builds upon previously known banking trojans such as Cerberus and Phoenix, extending their functionality while maintaining a familiar operational structure.
Rather than introducing entirely new techniques, Perseus reflects what researchers describe as an incremental evolution of existing malware frameworks. It integrates inherited capabilities with targeted improvements, resulting in what analysts call a more adaptable and efficient platform for compromising Android devices.
The malware is primarily distributed through dropper applications masquerading as IPTV services, a method that leverages user demand for streaming content. By embedding malicious payloads within seemingly legitimate apps, attackers are able to reduce suspicion and increase infection success rates.
FCRF Launches Premier CISO Certification Amid Rising Demand for Cybersecurity Leadership
Disguised Distribution and Targeted Reach
Campaigns associated with Perseus have been observed targeting users across multiple regions, including Turkey, Italy, Poland, Germany, France, the United Arab Emirates, and Portugal. Researchers noted that the malware’s distribution strategy closely mirrors legitimate app delivery mechanisms, particularly those used by unofficial streaming platforms.
Among the identified artifacts are applications such as Roja App Directa, TvTApp, and PolBox TV, which function as droppers or carriers for the Perseus payload. Once installed, these applications facilitate the deployment of the malware onto the victim’s device.
ThreatFabric researchers noted that by embedding its functionality within expected user contexts—such as media consumption apps—the malware is able to blend malicious activity with routine behavior. This approach allows it to remain undetected during initial stages of infection.
Capabilities: From Surveillance to Control
Once active, Perseus enables attackers to remotely control infected devices through a command-and-control (C2) panel. The malware supports a wide range of commands that allow operators to monitor activity, manipulate the device interface, and extract sensitive information.
Among its capabilities are overlay attacks that display fake interfaces over legitimate applications, enabling the interception of user credentials. It can also capture keystrokes, monitor notes stored across applications such as Google Keep and Microsoft OneNote, and stream the victim’s screen in near real time.
Additional commands allow attackers to mute device audio, simulate user interactions through coordinate-based taps, launch applications, and install software from unknown sources. The malware can also manage application access by blocking or unblocking specific apps and controlling screenshot functionality via accessibility services.
Researchers noted that Perseus leverages Android’s accessibility features to gain extensive control over device interactions, a tactic commonly used by banking trojans to bypass security mechanisms.
Evasion Techniques and Development Indicators
Perseus incorporates a series of environment checks designed to detect analysis tools and avoid detection. These include identifying debugging frameworks such as Frida and Xposed, verifying the presence of a SIM card, assessing the number of installed applications, and evaluating battery metrics to confirm it is operating on a real device rather than an emulator.
The malware aggregates collected data to generate a “suspicion score,” which is transmitted to its command-and-control infrastructure. This score is used by operators to determine whether to proceed with further exploitation, including data theft or financial fraud.
Researchers also observed indicators suggesting that the malware may have been developed with assistance from large language models. Evidence cited includes structured logging patterns and the presence of emojis within the source code, though no definitive attribution has been made.
Perseus, analysts said, demonstrates how contemporary malware development increasingly relies on refining established codebases while incorporating selective innovations. Its design underscores a broader trend in which attackers prioritize adaptability, stealth, and efficiency in targeting mobile users.
