Most mobile malware must continuously evolve to remain effective in an environment shaped by improving security measures, platform restrictions, and user awareness. Rather than relying solely on traditional techniques, contemporary threats increasingly adapt by introducing new capabilities and leveraging legitimate system features in unintended ways. This ongoing evolution reflects a broader trend in which attackers refine their tooling to maintain persistence, evade detection, and maximize control over compromised devices, highlighting the importance of studying how such threats adapt over time.

The Mobile Threat Intelligence Team has identified a new Android threat actively distributed in the wild. The threat is called Perseus, and represents the continued evolution of mobile malware, building upon the code base of earlier families such as Cerberus and Phoenix, and advancing into a more flexible and capable platform for device compromise.

As modern mobile threats adapt to an increasingly hardened ecosystem, they incorporate new techniques and often repurpose legitimate system functionalities to maintain effectiveness. In this research, we examine Perseus’s design and behavior to highlight how such evolution enables persistent, interactive control over infected devices, offering insight into the shifting landscape of mobile malware.

Key takeaways of this report are:

• Continuous Evolution: Perseus builds on earlier threats like Phoenix, demonstrating how mobile malware adapts by introducing new techniques and leveraging legitimate system features to remain effective.
• Interactive Remote Control: Through Accessibility-based remote sessions, the malware enables real-time monitoring and precise interaction with infected devices, allowing full Device Takeover and targeting various regions, with strong focus on Turkey and Italy.
• Targeted Data Collection: Beyond traditional credential theft, Perseus monitors user notes, indicating a focus on extracting high-value personal or financial information.
• Strong Anti-Analysis Measures: Extensive environment checks, including detection of tools like Frida, highlight a clear focus on evading analysis and maintaining operational secrecy.
• Continues the trend of IPTV applications: increasingly used as masquerading for mobile threats distribution.

The Opposite of a Hero

If Greek mythology had a cybersecurity chapter, Perseus would fit right in, though not quite as the hero. Instead, this time Perseus seems to have learned a few tricks from the very monsters he was meant to defeat. Building on codebases like Phoenix and Cerberus (two well-known “creatures” of the Android malware underworld) and showing connections to operations involving Medusa, this variant feels less like a lone warrior and more like the product of a full mythological crossover.

The Origin story

The name Perseus comes directly from the C2 login Panel, which is accessible from some of the campaigns analyzed:

The underlying code is based on Cerberus, a long-standing malware family that has served as the foundation for several others, such as Ermac and Phoenix, following the leak of its source code in 2020. Perseus appears to build specifically on the Phoenix codebase, as its earlier versions adopt a similar class structure and naming conventions.

During the analysis, two main branches were identified: one that was active for a short period of time, and another that is currently being distributed. While there are some differences in functionality and supported commands between the two, the most evident distinction lies in the naming of classes, which are in English in one branch and in Turkish in the other.

In the English-based branch, which features extensive Quality-of-Life and debugging features that are missing in the more discrete Turkish version, there are also indications of likely use of LLM-based tools to assist in the development of the malware. These include extensive in-app logging and the presence of emojis within the code, which are uncommon in traditional malware development.  

Observed campaigns

The distribution strategy observed in all Perseus campaign consistently leverages applications masquerading as IPTV services, a tactic likely chosen to maximize credibility and user engagement within the primary target region, particularly Turkey and that we already discussed in our previous report about Massiv.

IPTV applications are widely used and often distributed outside of official marketplaces such as the Google Play Store, making users more accustomed to sideloading APK files and less likely to question non-standard installation workflows. By embedding its payload within this expected context, the Perseus malware effectively reduces user suspicion and increases infection success rates, blending malicious activity with a commonly accepted distribution model for such services.

Perseus uses a dropper to bypass Android 13+ restrictions when distributed via side-loading. The specific dropper application used to distribute Perseus is not unique to this malware family, but has been observed distributing also other malware families, such as Klopatra and Medusa. 

Once deployed, Perseus is capable of launching overlay attacks and keylogging virtually everything displayed on the device, directly inheriting this capability from its predecessor, Phoenix. This allows attackers to intercept user input in real time and superimpose fake interfaces to capture sensitive credentials with high accuracy. Combined with the remote actions that the malware is capable of, it grants full device takeover to the malicious application, allowing criminals to perform and authorize fraudulent transactions. 

In the campaigns we observed, a clear targeting strategy emerges, with a strong focus on users in Turkey and Italy. The distribution of targeted institutions reflects this geographic focus, as shown in the table below:

The Rebirth of the Phoenix

Much like the mythical Phoenix rising from its ashes, Perseus represents a rebirth of earlier malware, carrying forward its lineage while introducing selective but meaningful new capabilities. While much of its core functionality can be traced back to predecessors like Phoenix and Cerberus, this evolved variant refines its focus with additions that enhance both intelligence gathering and survivability. 

Take some notes

Among its more distinctive capabilities, Perseus introduces functionality aimed at monitoring user-created content, specifically notes stored on the device. While many Android malware families focus primarily on harvesting credentials or intercepting communications, this feature reflects a broader interest in contextual and personally curated data. Notes often contain sensitive information such as passwords, recovery phrases, financial details, or private thoughts, making them a valuable target for attackers.

 In the English fork of the malware, a particularly notable feature was identified that has not been commonly observed in other malware families The feature, triggered by the command “scan_notes”, checks for the presence of a predefined set of applications, including widely used note-taking apps. It then proceeds to systematically open each application and iterate through individual notes.

To achieve this, the malware leverages Accessibility Services to automate user interactions. It navigates the UI by iterating over elements, selecting target nodes, and programmatically triggering click actions. After a short delay, it performs a global “back” action to return to the previous screen and continues the process. This behavior enables the malware to systematically explore the contents of note-taking applications without user involvement. Combined with its logging capabilities, this allows the malware to capture and record the contents of the notes.

The list of notes applications that are monitored by Perseus is presented in the Appendix.

Taking over the device

Perseus inherits the remote control modules that power the DTO capabilities from its predecessors. In its primary mode, it abuses the Android Accessibility Service to continuously capture screenshots of the device using takeScreenshot() API call, processes them into compressed JPEG images, encodes them in Base64, and transmits them to the C2 server, effectively creating a near real-time visual stream of the victim’s screen. This is enabled using the “start_vnc” command.

On the other hand, when receiving the “start”hvnc” command, Perseus transmits a structured representation of the UI hierarchy: the malware traverses the AccessibilityNodeInfo tree and converts it into a JSON “skeleton” of the interface, enriched with metadata such as screen dimensions, screen state (awake or not), blackscreen status, and a device identifier. This data is sent through the active connection channel, allowing the operator to either see the screen or to understand and interact with UI elements programmatically:

Perseus implements a set of supported actions that can be performed by the remote operator. The remote control commands supported are listed in the Appendix.

Device Risk assessment and anti-analysis

Perseus performs extensive environment checks to detect analysis or sandbox conditions. These include verifying the presence of root access, scanning for instrumentation frameworks such as Frida, as can be seen in the below:

In addition, Perseus checks all the following aspects to make sure that it is running in a real device:

• SIM and telephony realism — verifies that a SIM is present and that operator details do not look fake or emulator-like.
• Debugger presence — checks whether a debugger is attached to the process.
• Dynamic analysis / instrumentation tools — looks for tools such as Frida and Xposed.
• Root indicators — checks for both root binaries and known root-management applications.
• Build and emulator fingerprints — inspects Android build properties for signs of emulators or virtualized devices.
• Hardware profile consistency — evaluates whether the device has realistic hardware characteristics, such as cameras and sensors.
• Battery plausibility — checks for suspicious battery values often associated with emulated environments.
• Bluetooth availability — verifies whether Bluetooth support exists, as missing hardware can indicate a fake environment.
• Installed application count — checks whether the number of installed apps is unusually low, which may suggest a sandbox or fresh emulator.
• Google Play Services presence — verifies whether Play Services are installed, since their absence can indicate a non-standard or analysis environment.

Perseus then combines all this information to obtain an overall suspicion score that is sent to the C2 panel for an operator to assess.

Conclusion

Perseus highlights the continued evolution of Android malware, demonstrating how modern threats build upon established families like Cerberus and Phoenix while introducing targeted improvements rather than entirely new paradigms. Its capabilities, which range from Accessibility-based remote control and overlay attacks to notes monitoring, show a clear focus on maximizing both interaction with the device and the value of the data collected. This balance between inherited functionality and selective innovation reflects a broader trend toward efficiency and adaptability in malware development.

Its distribution through IPTV-themed droppers and its overlap with infrastructure used by other families, such as Medusa, underline how tools, delivery methods, and even codebases are reused across campaigns. Coupled with strong anti-analysis measures, including Frida detection and comprehensive environment checks, Perseus demonstrates a growing emphasis on evasion and operational resilience.

Overall, Perseus can be seen as a “reborn” threat: not entirely new, but refined and adapted to remain effective in a more secure and scrutinized mobile environment.

Appendix

Indicators of Compromise

Notes Targets

Bot commands

Commands in green are part only of the English fork, while commands in red are part only of the Turkish fork.