Overview
- ThreatFabric says Perseus is being distributed in the wild via sideloaded IPTV-themed apps, enabling full remote control through Accessibility abuse.
- Beyond overlays and keylogging, the malware systematically scans popular note-taking apps to extract passwords, recovery phrases, and financial details.
- Operators can issue C2 commands such as scan_notes, start_vnc for near‑real‑time screen streaming, start_hvnc for UI‑level control, and install_from_unknown.
- The dropper can bypass Android 13+ sideloading restrictions and has also been used to deliver Klopatra and Medusa, according to researchers.
- Analysis points to code lineage from Phoenix/Cerberus and logging artifacts suggest possible LLM-assisted development, with targeting extending to crypto apps and multiple European and Middle Eastern countries.