GoKawiilA new Android malware called Perseus is checking user-curated notes to steal sensitive information, like passwords, recovery phrases, or financial data.
Distributed over unofficial stores disguised as IPTV, Perseus allows complete device takeover, screenshot capturing , and overlay attacks.
By posing as IPTV apps, which are often used to stream pirated content, the threat actor relies on the user's familiarity with sideloading APKs from outside the Google Play store and ignoring security warnings.
This trend has emerged over the past eight months, as users seek free or low-cost ways to access live sports broadcasts. In a recent campaign, threat actors leveraged the IPTV app lure to distribute the Massiv Android banking malware.
According to researchers at mobile security company ThreatFabric, Perseus is primarily targeting financial institutions in Turkey and Italy, as well as crypto services.
One app loading the malware is called Roja Directa TV, a popular sports streaming service that has been the target of copyright infringement and shutdown actions.
One of the dropper apps used
Source: ThreatFabric
The dropper for Perseus can bypass Android 13+ sideloading restrictions and is the same one for delivering the Klopatra and Medusa malware.
According to ThreatFabric researchers, "Perseus appears to build specifically on the Phoenix codebase," which was created from the Cerberus code, leaked almost six years ago.
... continue reading