Do you store passwords in your Notes app? That’s exactly what Perseus is hunting for.

Aastha Thakker
Mar 19
3 min read

A banking trojan is no longer just watching your apps, it is reading your notes, observing your screen, and quietly turning small habits into financial damage. What’s more interesting? Parts of it may not even be written entirely by humans.

At first glance, it behaves like typical banking malware, targeting financial apps and stealing credentials. But Perseus shifts the focus from applications to user behavior.

Instead of limiting itself to banking interfaces, it scans Notes apps, extracting:

Saved passwords
PINs
Backup codes

This is not just data theft; it is exploitation of user convenience habits.

Origin: Built from What Was Already Broken

Perseus is not an entirely new creation. It is part of an evolving malware ecosystem that traces back to Cerberus (2019).

Cerberus introduced a critical abuse vector:

Misusing Android’s Accessibility Services API
Gaining high-level permissions without raising user suspicion
Interacting with screen content, inputs, and system actions

The real turning point came in 2020, when Cerberus’s source code was leaked. That leak did not just expose malware, it standardized it.

How Perseus Gets onto Your Phone

Perseus reaches victims through a calculated social engineering angle: fake IPTV streaming apps. Users searching for pirated premium content are directed to phishing sites that serve malicious APKs — sideloaded files that bypass the Google Play Store entirely. Once installed, the dropper delivers the Perseus payload.

What Makes Perseus Different

Cerberus-lineage malware focused on two techniques: overlay attacks (displaying fake login screens over banking apps) and keylogging. Perseus retains both but adds a significant new capability: the scan_notes command.

This command exfiltrates the full contents of popular note-taking apps, including:

Google Keep
Samsung Notes
Xiaomi Notes
ColorNote Notepad Notes
Evernote
Simple Notes Pro
Simple Notes
Microsoft OneNote

Why notes? Because users routinely store passwords, bank PINs, cryptocurrency seed phrases, and 2FA backup codes in plaintext inside these apps. Notes apps typically do not encrypt their contents at rest, making them a goldmine for any attacker with Accessibility access. This is a logical evolution, not a technical breakthrough and that is exactly what makes it dangerous.

Full Remote Control

Perseus registers with a remote command-and-control (C2) panel. The operator can then issue the following commands to achieve full device takeover:

No CVE Required, Just Permissions

Perseus exploits no unpatched vulnerability. Every capability it uses is built on legitimate Android APIs, abused beyond their intended purpose:

Accessibility Services API: Grants apps the ability to observe and interact with any on-screen UI element. Perseus uses this to read screen content, perform taps, and launch overlay attacks — all sanctioned by the user’s single permission grant during install.
SYSTEM_ALERT_WINDOW: Allows drawing fake UI layers on top of legitimate banking apps. The user sees a convincing fake login screen; credentials go directly to the attacker.
AccessibilityEvent.TYPE_VIEW_TEXT_CHANGED: Fires whenever text is entered in any field. Perseus intercepts this event stream to keylog credentials across every app on the device.
RECEIVE_SMS + READ_CONTACTS: Intercepts incoming SMS messages, capturing one-time passwords (OTPs) for 2FA bypass in real time.
ACTION_REQUEST_INSTALL_PACKAGES: Enables silent installation of additional payloads, allowing the infection to chain into other malware families.
Perseus also builds an anti-analysis suspicion score before activating. It checks for Frida and Xposed hooks (common reverse-engineering tools), validates SIM card presence, counts installed apps to detect emulators, and examines battery metadata. Only devices that pass this fingerprint are fully targeted reducing exposure to security researchers and automated sandboxes.