Full Report
Cybersecurity researchers have disclosed a new Android malware family called Perseus that's being actively distributed in the wild with an aim to conduct device takeover (DTO) and financial fraud. Perseus is built upon the foundations of Cerberus and Phoenix, at the same time evolving into a "more flexible and capable platform" for compromising Android devices through dropper apps distributed
Analysis Summary
# Tool/Technique: Perseus
## Overview
Perseus is a sophisticated Android banking malware family designed to facilitate Financial Fraud and Device Takeover (DTO). It is an evolutionary successor to the Cerberus and Phoenix malware families. Its primary objective is to steal financial credentials and sensitive personal information through overlay attacks, keylogging, and a specialized focus on extracting data from various note-taking applications.
## Technical Details
- **Type**: Malware family (Banking Trojan / Remote Access Trojan)
- **Platform**: Android
- **Capabilities**: Remote Access (VNC/hVNC), Overlay Attacks, Keylogging, SMS Interception, Note Data Extraction, Accessibility Service Abuse.
- **First Seen**: March 2026 (Reported)
## MITRE ATT&CK Mapping
- **TA0031 - Network Effects**
- **T1476 - Deliver Malicious App via Phishing** (Distributed through phishing sites masquerading as IPTV services)
- **TA0030 - Persistence**
- **T1546.010 - Event Triggered Execution: Accessibility Service**
- **TA0037 - Collection**
- **T1417.001 - Input Capture: Keylogging**
- **T1417.002 - Input Capture: GUI Overlay**
- **T1533 - Data from Local System** (Specifically note-taking apps)
- **TA0040 - Impact**
- **T1499.005 - Endpoint Denial of Service: OS Lockdown** (Use of black screen overlays to hide activity)
## Functionality
### Core Capabilities
- **Overlay Attacks**: Displays fake login screens over banking and cryptocurrency apps to harvest credentials.
- **Accessibility Service Abuse**: Grants itself extensive permissions to monitor user interactions and bypass security prompts.
- **C2 Communication**: Receives remote commands from a command-and-control server to execute fraudulent transactions.
- **SMS Interception**: Monitors and exfiltrates SMS messages to bypass Two-Factor Authentication (2FA).
### Advanced Features
- **Note Scanning (`scan_notes`)**: Specifically targets and extracts content from apps like Google Keep, Samsung Notes, Evernote, and OneNote to find recovery phrases or passwords.
- **Remote Session (VNC/hVNC)**: Provides operators with a real-time visual stream or a structured UI hierarchy interaction to control the device remotely.
- **Stealth Mechanisms**: Employs an "action_blackscreen" feature to mute audio and black out the screen, hiding malicious background activity (like unauthorized transfers) from the victim.
- **LLM-Assisted Development**: Source code indicators (extensive logging and emojis) suggest the use of Large Language Models during development.
## Indicators of Compromise
- **File Hashes**:
- `com.xcvuc.ocnsxn` (Dropper)
- `com.tvtapps.live` (Perseus Payload)
- `com.streamview.players` (Perseus Payload)
- **File Names**: Roja App Directa, TvTApp, PolBox Tv.
- **Network Indicators**: [C2 indicators not explicitly listed in the source text, but typically use obfuscated domains and HTTPS].
- **Behavioral Indicators**:
- Immediate request for Accessibility Services upon first launch.
- Persistent overlays appearing when banking applications are opened.
- Unexpected device performance degradation or unprompted screen blackouts.
## Associated Threat Actors
- Currently unattributed, though targeting patterns show a strong focus on users in Turkey, Italy, Poland, Germany, France, U.A.E., and Portugal.
## Detection Methods
- **Signature-based**: Detection of known package names (`com.tvtapps.live`, etc.) and Cerberus-derived code signatures.
- **Behavioral**: Identifying apps that request Accessibility Services and immediately attempt to draw over other applications or minimize system volume.
- **Heuristic**: Monitoring for unauthorized programmatic interactions with the UI hierarchy (hVNC detection).
## Mitigation Strategies
- **Prevention**: Avoid sideloading applications from third-party websites or IPTV "free" service providers.
- **Hardening**: Disable the "Install from Unknown Sources" setting on Android devices.
- **User Education**: Train users to be wary of apps requesting Accessibility permissions, which is a common red flag for Android malware.
- **Security Software**: Deploy mobile threat defense (MTD) solutions that can detect overlay activity and accessibility abuse.
## Related Tools/Techniques
- **Cerberus**: The original source code foundation.
- **Phoenix**: An intermediary variant Perseus expanded upon.
- **Alien/ERMAC**: Other malware families derived from the leaked Cerberus source code.
- **Massiv**: Another IPTV-themed Android malware with similar distribution tactics.