Cybersecurity researchers have unveiled a new family of Android malware known as Perseus, which is currently being disseminated with the intent to execute device takeovers (DTO) and commit financial fraud. This malware builds upon the foundations laid by its predecessors, Cerberus and Phoenix, evolving into a more adaptable and potent platform for compromising Android devices through dropper applications distributed via phishing websites.
Operational Mechanism and Target Regions
According to a report from ThreatFabric shared with The Hacker News, Perseus employs Accessibility-based remote sessions that facilitate real-time monitoring and precise interaction with infected devices. This capability allows for complete device takeover, with a particular emphasis on regions such as Turkey and Italy. Notably, Perseus extends its reach beyond traditional credential theft; it actively monitors user notes, indicating a strategic focus on extracting high-value personal or financial information.
The origins of Cerberus were first documented by the Dutch mobile security firm in August 2019, showcasing its exploitation of Android’s accessibility service to gain additional permissions and pilfer sensitive data through deceptive overlay screens. Following the leak of its source code in 2020, various variants emerged, including Alien, ERMAC, and Phoenix.
Distribution Artifacts
Some of the artifacts associated with Perseus include:
- Roja App Directa (com.xcvuc.ocnsxn) – Dropper
- TvTApp (com.tvtapps.live) – Perseus payload
- PolBox Tv (com.streamview.players) – Perseus payload
ThreatFabric’s analysis indicates that Perseus expands upon the Phoenix codebase, with threat actors likely leveraging a large language model (LLM) for development, as evidenced by extensive in-app logging and the inclusion of emojis within the source code.
Targeting Strategies
Similar to the recently disclosed Massiv Android malware, Perseus disguises itself as IPTV services, targeting users seeking to sideload applications for premium content viewing. The campaigns distributing this malware have primarily focused on Turkey, Italy, Poland, Germany, France, the U.A.E., and Portugal. By embedding its payload within a familiar context, Perseus effectively minimizes user suspicion and enhances the likelihood of successful infections, seamlessly blending malicious activities with a widely accepted distribution model.
Once operational, Perseus behaves similarly to other Android banking malware, executing overlay attacks and capturing keystrokes to intercept user input in real-time. It displays counterfeit interfaces over financial applications and cryptocurrency services to steal credentials.
Command and Control Capabilities
The malware grants operators the ability to remotely issue commands via a command-and-control (C2) panel, enabling them to perform and authorize fraudulent transactions. Some of the supported commands include:
- scan_notes: Captures content from various note-taking applications.
- start_vnc: Initiates a near-real-time visual stream of the victim’s screen.
- stop_vnc: Terminates the remote session.
- start_hvnc: Transmits a structured representation of the UI hierarchy for programmatic interaction.
- stop_hvnc: Ends the remote session.
- enableaccessibilityscreenshot: Activates screenshot capabilities via the accessibility service.
- disableaccessibilityscreenshot: Deactivates screenshot capabilities.
- unblock_app: Removes an application from the blocklist.
- clear_blocked: Clears the entire list of blocked applications.
- action_blackscreen: Displays a black screen overlay to obscure device activity from the user.
- nighty: Mutes audio.
- click_coord: Executes a tap at specific screen coordinates.
- installfromunknown: Forces installation from unknown sources.
- start_app: Launches a specified application.
Detection and Adaptation
Perseus conducts a series of environment checks to detect debuggers and analysis tools such as Frida and Xposed. It verifies the presence of a SIM card, assesses the number of installed applications, and checks battery values to ensure it operates on a legitimate device. This information is compiled into an overall suspicion score sent to the C2 panel, guiding the operator’s next steps regarding data theft.
Perseus exemplifies the ongoing evolution of Android malware, showcasing how contemporary threats build on established families like Cerberus and Phoenix while introducing targeted enhancements rather than entirely novel approaches. Its capabilities, ranging from Accessibility-based remote control and overlay attacks to note monitoring, reflect a clear intent to maximize both device interaction and the value of the data collected, illustrating a broader trend toward efficiency and adaptability in malware development.
