Back to Research
Advisory

New Perseus Android Banking Malware Monitors Notes Apps for Sensitive Data

Eresus Security Research TeamAuthor
April 1, 2026
2 min read

A sophisticated new strain of Android banking malware, identified as Perseus, is rapidly spreading across multiple countries, leveraging advanced techniques to bypass modern Android security mechanisms. Unlike traditional keyloggers, Perseus actively abuses Android's Accessibility Services to enable complete device takeover and execute unauthorized financial transactions.

Eresus Security researchers warn that Perseus is specifically engineered to target users who store sensitive information, such as passwords, recovery phrases, and PINs, in plain-text applications.

How Perseus Strikes

Perseus is typically distributed via sophisticated phishing campaigns. Attackers disguise the malware as legitimate applications—often posing as urgent system updates, regional banking aids, or utility tools—promoted through SMS (Smishing) or malicious ad networks.

Once the unsuspecting user installs the application, it immediately requests the user to grant it Accessibility Service permissions under the guise of "enabling full features" or "app configuration."

The Exploitation Phase

The moment Accessibility permissions are granted, Perseus initiates its attack chain:

  1. Screen Reading & Scraping: It monitors the active window. Its primary targets are standard note-taking applications (like Google Keep, Samsung Notes, or Evernote), password managers (when unlocked), and crypto wallet interfaces. It actively parses text on the screen to steal seed phrases and bank credentials.
  2. Overlay Attacks: When the user opens a targeted banking application, Perseus instantly drops a pixel-perfect, invisible overlay on top of the legitimate app to capture login credentials and 2FA codes.
  3. Automated Fraud (ATS): Using the Automated Transfer System (ATS) technique, the malware can autonomously navigate the UI, initiate bank transfers, and intercept the SMS-based OTPs needed to authorize the transaction—all while the device screen is artificially dimmed or locked to hide the activity from the victim.

Mitigation and Defense

Relying on Google Play Protect is no longer sufficient against such targeted phishing attacks. Organizations and end-users must adopt stricter mobile security postures:

  • For Enterprises: Enforce Mobile Device Management (MDM) policies that restrict sideloading of applications from unknown sources on corporate devices.
  • For Users: Never grant Accessibility permissions to applications unless specifically required for a verified disability aid. Banking and secure apps should rarely, if ever, ask for this permission.
  • Avoid Plain-Text Storage: Never store critical banking PINs, crypto recovery phrases, or corporate passwords in unencrypted note-taking apps.

Are your mobile banking applications resilient against ATS and Overlay attacks? Contact Eresus Security for comprehensive Mobile Application Security Testing and reverse engineering assessments.