New Perseus Android Banking Malware Monitors Notes Apps to Extract Sensitive Data

The world of mobile banking has never been safe, but what security researchers from Cleafy discovered changes the perspective on the scale of the threat. Perseus — a new family of malicious software for Android — is not an ordinary banking trojan. It is an evolution of previous threats that combines the functionality of its predecessors (Cerberus and Phoenix) with completely new capabilities for monitoring sensitive user data. What's worse? The malware is actively spreading in the wild, and its creators continue to add new features.

Particularly concerning is that Perseus is not limited to traditional attacks on banking applications. Instead, it monitors note-taking applications, where users store passwords, access codes, identification numbers and other sensitive data. This indicates a change in the tactics of cybercriminals — instead of directly attacking financial applications, they have focused on collecting information that can be used to take over bank accounts or commit identity theft.

In Poland, where mobile banking has become standard and over 70% of smartphone users use banking applications, a threat like Perseus poses a real problem. The Polish Banking Association and the Association of Polish Banks have been warning for years about the growing wave of cyberattacks on mobile devices, but Perseus represents a new level of sophistication and attack flexibility.

How Perseus differs from its predecessors — evolution, not revolution

To understand why Perseus poses a particular threat, it's worth looking at its genealogy. Cerberus, whose code was leaked in 2020, was a banking trojan focused on taking over access to financial applications through fake login screens and SMS interception. Phoenix went further, adding device management features and the ability to hide from the system. Perseus combines these capabilities, but does something fundamentally different.

Instead of attacking banking applications directly, Perseus operates more discreetly. Its primary target is monitoring note-taking applications — both those built into Android and popular third-party applications such as Google Keep, Microsoft OneNote or Notion. Researchers from Cleafy discovered that Perseus scans the contents of these applications looking for patterns that may indicate sensitive data: PIN numbers, passwords, identity document numbers, and even credit card numbers.

This is a paradigm shift in attacks on mobile devices. Traditional banking trojans focused on stealing passwords at the moment they were entered. Perseus, on the other hand, waits for the user to store their data in applications they consider safe. According to Cleafy's report, the malware can also monitor the device's clipboard, which means it can intercept data copied from any application.

The architecture of Perseus is also more modular than its predecessors. Rather than being a monolithic trojan, Perseus operates as a platform to which new functionality modules can be added. Cybercriminals can easily customize it for specific purposes — for one attack they can add a module to monitor notes, for another — a module to intercept data from messaging applications.

The path to infection — trojan horse applications

Perseus spreads through dropper applications, i.e., fake or infected applications available on unofficial app stores, on pirate websites or distributed via SMS messages posing as messages from banks. Cleafy researchers observed that Perseus is distributed through applications posing as legitimate tools — file managers, photo editing applications, or even games.

Particularly surprising is that some variants of Perseus were distributed through the official Google Play Store, although Google quickly removed them after detection. This shows that even Google Play Store, which has much better control mechanisms than unofficial stores, cannot 100% protect users from malicious software.

The infection mechanism is intricate. The dropper application does not immediately contain the full Perseus code — instead, it downloads it in encoded form from servers controlled by the attackers. This is a technique known as staged malware delivery, which makes it difficult to analyze the threat and allows attackers to quickly update malware without having to resubmit the application through app stores.

For Polish users, particularly dangerous are variants of Perseus distributed via SMS messages posing as messages from popular Polish banks. The message might read like "Security update — download the application from [fake domain]". Users who are not familiar with the fact that banks never send links to download applications via SMS can easily fall for it.

Monitoring notes — a new dimension of identity theft

The most intriguing feature of Perseus is its ability to monitor note-taking applications. This may sound like a small detail, but in reality it is a fundamental change in how cybercriminals think about data theft.

For years, mobile security has focused on protecting against attacks on banking applications — two-factor authentication, biometrics, encrypted connections. But it turns out that cybercriminals discovered that users themselves store their sensitive data in places that are not protected the same way. Note-taking applications typically have weaker authentication than banking applications, and their encryption (if it exists at all) is often optional.

Perseus monitors these applications looking for specific patterns. For example, it can search for strings that look like PIN numbers (4-6 digits), passwords (combinations of letters, numbers and symbols), or document numbers (special formats for different countries). When it finds something that matches the pattern, it sends it to the attackers' servers.

What's even more concerning — Perseus can also monitor the device's clipboard. If a user copies a password from a notes application and pastes it in a banking application, Perseus will intercept that password when it passes through the clipboard. This is a technique known for years, but its combination with note monitoring creates a new layer of threat.

Device takeover — from data theft to full control

Perseus is not just a banking trojan — it is a device takeover (DTO) tool. This means that attackers can gain full control of the smartphone, including access to the camera, microphone, location and all applications installed on the device.

Cleafy researchers discovered that Perseus can request very broad permissions from the Android system and then activate them even if the user rejected them. This is possible by exploiting vulnerabilities in Android that have not yet been patched. Attackers can thus gain access to banking applications and log into a user's account without knowing the password — they only need access to the phone and the banking application.

Additionally, Perseus can simulate user clicks on the screen, which means it can automatically approve bank transactions, transfer money or change account security settings. This technique is known as overlay attacks — malware displays a fake screen on top of the real application to confuse the user, while simultaneously simulating their clicks.

For banks and financial institutions, this poses a huge problem. Traditional protection methods, such as SMS messages with transaction confirmation codes, can be bypassed by Perseus, which has access to SMS messages on the device. Some banks have switched to push notifications instead of SMS messages, but Perseus can also monitor these notifications.

Poland in the crosshairs — local adaptation of the threat

Poland is a particularly interesting target for Perseus creators for several reasons. First, Polish banks are technologically advanced — most offer mobile applications with advanced security features. Second, Polish society is quite active in using mobile banking, which means the potential scale of the attack is large.

Security researchers have noticed that Perseus variants distributed in Poland are specially adapted to the Polish market. They contain lists of Polish banks whose applications are monitored in a special way. These include PKO BP, mBank, Santander, ING, Alior Bank and other financial institutions.

Additionally, the creators of Perseus added features specific to Poland — for example, monitoring tax applications (Twój e-PIT), social security applications (PUE ZUS) and other public services. This suggests that the attackers not only want to steal money from bank accounts, but also want to gain access to personal data and tax information of Polish users.

The Polish Banking Association has already issued warnings to its members about Perseus, and CERT.PL (the Polish incident response team) has published detailed information on how to recognize and remove the malware. However, Perseus's ability to hide and its modular architecture mean that traditional malware removal methods may not be sufficient.

Security or paranoia — how to protect yourself from Perseus

Protection against Perseus requires a multi-layered approach that goes beyond traditional antivirus. First, users should download applications only from the official Google Play Store and avoid unofficial stores. Second, they should be careful about SMS messages containing download links — no bank will ever send such a message.

However, even downloading from Google Play Store does not guarantee security, as shown by the Perseus case. That's why it's also important to monitor the permissions that applications request. If a photo editing application requests access to SMS messages, contacts and location — that's a clear warning sign. Users should regularly check what permissions installed applications have.

Banks, on the other hand, should implement advanced anomaly detection systems that can recognize when account login occurs from a different device or location than usual. They should also implement step-up authentication — additional verification for high-value transactions, even if the user is already logged in.

For more advanced users, the recommendation is to use a dedicated device for mobile banking — an old smartphone with only the banking application installed and nothing else. This may sound like overkill, but for people with large savings it may be justified.

The future of the trojan — Perseus as a template for new threats

Perseus will not be the last trojan of this type. Its modular architecture and flexible approach to data theft provide a template for new threats. Cybercriminals will likely adapt the Perseus code for other purposes — monitoring messaging applications (Telegram, Signal), money management applications (Wise, Revolut), or even cryptocurrency trading applications.

Particularly concerning is that Perseus is distributed by organized cybercriminal groups, not individual hackers. This means that the malware will be actively maintained, updated and adapted to new security challenges. When Google or Apple close one attack vector, attackers will quickly find another.

For the mobile security industry, Perseus is a warning signal. The traditional approach to protection — focusing on banking applications — is already insufficient. A more holistic approach is needed that protects all applications and data on the device, not just those related to finance. This means investments in advanced anomaly detection, application sandboxing and more granular permission systems.

At the same time, Perseus shows that cybercriminals are surprisingly creative in their attacks. Instead of attacking directly — which is difficult due to advanced security — they attack indirectly, through applications that users themselves consider safe. This is a lesson for everyone — in cybersecurity there is no absolute certainty, and every application on a device is a potential attack vector.