New Android malware hiding in streaming apps to spy on users’ personal notes

A newly discovered Android malware is masking itself within television streaming apps in order to steal users' passwords and banking data and spy on their personal notes, researchers have found.

The malware, dubbed Perseus by researchers at ThreatFabric, is being actively distributed in the wild and primarily targets users in Turkey and Italy, according to a report released on Thursday.

Perseus builds on the leaked code of older Android banking trojans, including Cerberus, a prolific malware family whose source code was exposed in 2020.

To infect devices, attackers disguise the malware inside apps that appear to offer IPTV services — platforms that stream television content over the internet. These apps are also widely used to stream pirated content and are often downloaded outside official marketplaces like Google Play, making users more accustomed to installing them manually and less likely to view the process as suspicious.

Once installed, Perseus can monitor nearly everything a user does in real time. It uses overlay attacks — placing fake login screens over legitimate apps — and keylogging capabilities to capture credentials as they are entered.

The malware’s most unusual feature, according to ThreatFabric, is its focus on personal note-taking applications.

Perseus actively scans infected devices for apps such as Google Keep, Evernote, and Simple Notes, then opens them and extracts stored content. Notes can contain highly sensitive information, including passwords, financial details, and recovery phrases, making them a valuable target for attackers, researchers said.

Android malware is continually evolving, incorporating new techniques and features to gain victims’ trust and evade detection, according to ThreatFabric.

Earlier in October, researchers identified another Android banking trojan, Herodotus, capable of mimicking human behavior to evade detection during remote device control. Another malware, known as Crocodilus, can manipulate victims’ contact lists, enabling attackers to impersonate trusted entities such as banks.