Defending Against the Perseus Android Banking Malware: Detection and Mitigation Strategies

Executive Summary: A new Android banking malware family named Perseus has been discovered actively targeting users to conduct device takeover (DTO) and financial fraud. Evolving from the notorious Cerberus and Phoenix malware families, Perseus introduces a more flexible platform that specifically monitors "Notes" applications to steal sensitive data. For security teams, this highlights the critical need to expand mobile monitoring beyond standard banking apps to include PII stored in productivity utilities.

Introduction

While traditional banking trojans focus on overlay attacks or intercepting SMS codes, the new Perseus malware employs a more insidious tactic: scanning the content of a user's notes applications. Why does this matter to defenders? Users frequently store backup codes, credit card numbers, or cryptographic seed phrases in unsecured notes apps, assuming they are safe from prying eyes.

Perseus represents an evolution in the threat landscape, leveraging the accessibility services—a legitimate Android feature designed to help users with disabilities—to hijack devices and read this data. For organizations managing Bring Your Own Device (BYOD) environments, this malware poses a severe risk of data leakage and financial loss, requiring immediate updates to mobile defense strategies.

Technical Analysis

Perseus is distributed via "dropper" applications—often disguised as legitimate utility or system tools—hosted on third-party app stores or phishing sites. Once installed, the malware establishes a foothold on the device.

Technical Capabilities:

1. Ancestry: It is built on the codebase of Cerberus and Phoenix, two well-known Android banking trojans, but has been refactored for greater flexibility.
2. Device Takeover (DTO): Perseus abuses Android Accessibility Services to grant itself extensive permissions without the user's explicit consent, effectively taking control of the device.
3. Notes App Monitoring: Unlike predecessors that strictly focused on banking interfaces, Perseus actively monitors the text content of default notes applications. It uses regex patterns to identify strings resembling credit card numbers, crypto keys, or other high-value data.
4. Data Exfiltration: The harvested data is transmitted to the attacker's Command and Control (C2) server.

Affected Systems:

• Platform: Android devices.
• Vectors: Sideloading apps from unofficial sources, social engineering phishing campaigns.
• Severity: High. This malware facilitates direct financial fraud and credential theft.

Patch/Fix Status:

There is no single "patch" for the malware itself as it is a malicious application. Defense relies on:

1. Google Play Protect: Updated definitions to detect known Perseus variants.
2. OS Hygiene: Keeping Android OS updated to prevent exploitation of underlying OS vulnerabilities (though Perseus primarily relies on social engineering and permission abuse).

Defensive Monitoring

Detecting Perseus requires identifying the abuse of Accessibility Services and monitoring for the installation of suspicious packages. Below are detection strategies for Microsoft Sentinel (Defender for Endpoint) and a baseline script for Android Debug Bridge (ADB) analysis.

KQL for Microsoft Sentinel / Defender for Endpoint

This query looks for Android devices where applications have recently requested or been granted "Bind Accessibility Service" permissions, a common indicator of banking trojan behavior.

DeviceEvents
| where Timestamp > ago(7d)
| where ActionType == "AndroidPackageInfo" or ActionType == "DeviceRegistryChangeEvent"
// Look for specific permission strings associated with Accessibility abuse
| where AdditionalFields contains "android.permission.BIND_ACCESSIBILITY_SERVICE" 
        or AdditionalFields contains "android.permission.SYSTEM_ALERT_WINDOW"
| project Timestamp, DeviceName, ActionType, AdditionalFields, InitiatingProcessAccountName
| order by Timestamp desc
| extend ParsedFields = parse_(AdditionalFields)
| mv-expand ParsedFields
| where ParsedFields.Key == "PackageName"
| project Timestamp, DeviceName, PackageName = ParsedFields.Value

Bash Script for ADB Analysis (Enterprise Mobility Management)

If your security team uses an MDM that supports ADB commands or you are performing forensic analysis on a device, use this script to check for packages holding dangerous permissions typically used by Perseus.

#!/bin/bash

# List of permissions to check
PERMISSIONS=("android.permission.BIND_ACCESSIBILITY_SERVICE" "android.permission.REQUEST_INSTALL_PACKAGES")

echo "Checking for packages with high-risk permissions (Perseus Indicators)..."

for perm in "${PERMISSIONS[@]}"
do
  echo "--- Checking for packages with $perm ---"
  # Dump package permissions and grep for the specific permission
  adb shell pm list packages -f | while read -r line; do
    package=$(echo $line | cut -d= -f2)
    # Check dumpsys for the specific permission
    if adb shell dumpsys package $package | grep -q "$perm"; then
      echo "[!] Potential Risk Found: $package"
    fi
  done
done

echo "Scan complete. Investigate any unknown packages listed above."

Remediation

To protect your organization from Perseus and similar Android banking trojans, implement the following defensive measures immediately:

1. Block Sideloading: Enforce a strict mobile device management (MDM) policy that disables the "Install Unknown Apps" permission (often called "Unknown Sources") for all user profiles. Google Play Protect should be mandated to remain active at all times.

2. Application Vetting: Configure your MDM to create an "allowlist" of applications. Only applications from the Google Play Store (or your internal enterprise store) should be installable. Block third-party app stores immediately.

3. User Awareness Training: Educate employees on the dangers of downloading "cleaning" or "utility" apps from links in SMS or email. Remind them that legitimate banking apps will never ask users to enable Accessibility Services for "better performance."

4. Disable Accessibility Services for Non-Essential Apps: Review MDM policies to restrict the granting of Accessibility Services. Ideally, this permission should be blocked entirely unless explicitly required for a verified accessibility need.

5. Network Segmentation: Ensure mobile devices are connected to a guest VLAN or isolated network segment, preventing lateral movement from a compromised mobile device to critical internal systems.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub