"Perseus" Malware Steals Android Users' Personal Data, Targets Passwords to Crypto Phrases
JAKARTA - A new threat is haunting the Android ecosystem again. The malware called Perseus is reported to be able to infiltrate devices and actively scan personal note apps to steal sensitive data, ranging from passwords to crypto recovery phrases.
In a recent report from cybersecurity firm ThreatFabric, Perseus is referred to as a type of Trojan that masquerades as a popular streaming application. This malware does not circulate through the Google Play Store, but is distributed through unofficial app stores and third-party APK files.
The perpetrator took advantage of users' habit of downloading illegal applications, especially IPTV services to watch pirated sports broadcasts. Behind the appearance of the application, there is a hidden malicious payload that starts working once the application is installed on the device.
Unlike conventional banking Trojans that generally steal OTP codes or record keystrokes, Perseus adopts a more invasive approach. This malware uses the Accessibility Services feature to open and browse user notes applications systematically.
The target is not just any application. Perseus specifically targets popular services such as Google Keep, Samsung Notes, Evernote, and Microsoft OneNote. In addition, applications such as Xiaomi Notes, ColorNote, and Simple Notes are also on the target list.
From the application, the malware will read the text content to search for crucial information, including account passwords, banking details, and crypto wallet recovery phrases - data that users often store in personal notes for easy access.
Researchers say this is one of the first cases where Android malware is specifically designed to extract data from records curated by users themselves, not just data that passes through the system.
Before carrying out the action, Perseus also carried out a series of checks on the device, including hardware conditions, battery status, and the number of installed applications. This step is allegedly to avoid detection and ensure that the target is "worthy" enough to be exploited.
Currently, the Perseus attack campaign is identified as targeting users in Turkey and Italy, with a focus on dozens of local financial institutions as well as crypto services. However, its distribution pattern that relies on sideloading leaves the potential for global spread open.
Security experts warn that the practice of downloading applications outside the official store is the main loophole for this threat to enter. Users are advised to continue to use official sources such as the Google Play Store and avoid installing APK files from unreliable sources.