A new malicious actor has burst into the Android ecosystem and, although its name - Perseus - may sound like mythology, what it does is purely technological and worrying: it is a malware family focused on take over the device and steal high-value financial and personal information. Security researchers have documented how this threat reuses and perfects known techniques - inherited from families like Cerberus and Phoenix - to offer the attackers almost total remote control over infected phones.
The signs that identify Perseus do not arise from nothing: their development is based on codes and methods already seen in other malicious projects, but with improvements aimed at making fraud more efficient. To understand its evolution, it is enough to read the technical analysis published by the company ThreatFabric, which explains in detail how Perseus combines remote control functions with credentials theft and note extraction capabilities stored in common applications. You can check that report on the company's site ThirFabric and review Cerberus' history in his research file Here..
The form of distribution that analysts have observed follows a known tactic: "dropper" applications that pass through legitimate services, in this case mainly IPTV platforms that promise premium content. Some users looking for applications outside official stores end up installing the dropper, and from there you download the malicious load that requests accessibility permits and other powerful authorizations. This strategy of deception is effective because it is based on the normal behavior of the user: sideloading to see multimedia content that is not in the official store.
Once inside the device, Perseus uses Android's accessibility service to orchestrate two key attack types. On the one hand, it launches "overlay" or overlapping screens that simulate bank interfaces or cryptomoneda services to capture credentials at the time the user introduces them. On the other hand, it starts remote sessions that allow the attacker to see the screen in real time and even interact with it: turn on or stop that visual stream, take catches, simulate touches in specific coordinates, open applications or force facilities from unknown origins. In addition, malware adds remarkable functionality: the ability to review note applications like Google Keep or Evernote to extract sensitive data that users usually save there (passwords, keys, codes, financial notes).
The tools available for the remote operator are not accessories: they allow from starting a VNC session almost in real time to sending commands that hide criminal activity - for example, display a black screen so that the victim does not see what happens - or authorize fraudulent transactions programmatically. These actions are controlled by a control panel (C2), which makes it easier for attacks to be automated and adapted to each target.
Perseus has also shown an interest in avoiding forensic analysis and laboratory environments: it runs checks to detect instrumentation frameworks such as Frida or Xposed, checks the presence of a SIM card, the number of applications installed and the battery load. With these indicators, it calculates a "suspect" score that it sends to its control centre to decide whether to proceed with data theft or abort the operation. This approach reduces exposure and improves the effectiveness of fraud.
Another curious feature in the code is the presence of traces that suggest that developers could have relied on language models to accelerate parts of development, something evidenced by extensive records in the app and small stylistic marks in the source code. The Phoenix family had already been documented in previous analyses and there is technical discussion about the evolution of these families; an analysis of Phoenix that helps contextualize this evolution can be consulted in the publication Medium quoted by analysts.
The attacks reported by ThreatFabric have had a geographical focus: Turkey and Italy appear as priority targets, although campaigns that affected users in Poland, Germany, France, the United Arab Emirates and Portugal have been identified. The IPTV application distribution pattern allows attackers to get into a niche of users with a higher likelihood of sideloading.
If you wonder how to protect yourself, there are practical measures that greatly reduce the risk. First, it avoids installing applications from unreliable sources; the installation outside the official store is the most frequent vector for this type of family. Keep the operating system and apps up to date, review the permits that give access to sensitive services (especially accessibility) and activate additional protection mechanisms such as two-step verification for your bank and mail accounts. Google offers information on application protection and Play Protect in its help center Play Protect and the UK national cybersecurity agency publishes practical recommendations on mobile device safety that can be consulted at the NCSC.
If you think your phone has been compromised by a similar threat, it is safe to cut the attacker's access as soon as possible: disconnect services, revoke permissions from settings, run a scan with a recognized anti-malware solution and, if remote control signs persist, back up the data and perform a factory restoration. It is also appropriate to notify the bank or financial provider and to change passwords from a clean device. To improve digital hygiene in the long term, resources such as the OWASP project offer mobile safety guides that help understand common threats and good practices: OWASP Mobile.
Perseus does not invent completely new attacks, but illustrates how malware developers combine known tools with tactical improvements to squeeze more value from the infected device. The lesson for users and organizations is clear: vulnerabilities are not only in software, but in habits; reducing risk depends on both technical controls and day-to-day decisions when installing and granting permits to applications.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...