Analyzing Perseus: When Notes Apps Become a Financial Fraud Vector
Just caught the latest report from The Hacker News regarding the new Perseus malware family. It seems the lineage of Cerberus and Phoenix continues to evolve, but this iteration adds a particularly insidious capability: actively monitoring Notes apps to extract sensitive data.
We've seen banking trojans abuse Accessibility Services for overlay attacks and auto-fill theft, but targeting content providers for notes apps suggests attackers are adapting to users who store 2FA seeds or passwords in plain text within "safe"-looking apps. Since Perseus aims for Device Takeover (DTO), the persistence mechanisms are likely aggressive.
For those doing mobile forensics or threat hunting, we should be looking for anomalies in the AccessibilityService usage and unusual Content Observer registrations.
Here is a quick snippet to dump currently active accessibility services on a device to audit for suspicious activity:
# List active accessibility services via ADB
adb shell dumpsys accessibility | grep -A 10 "ServiceInfo"
Additionally, checking for specific permissions related to reading logs or binding to notifications is crucial:
# Check for apps requesting high-risk permissions
adb shell pm list packages -f | grep -E "BIND_ACCESSIBILITY_SERVICE|READ_LOGS"
Given that Perseus is distributed via dropper apps, standard Play Protect scans might be bypassing the initial payload.
How is everyone handling the BYOD risk for this? Are you enforcing mobile containerization policies that block copy/paste into non-approved apps, or is user awareness training the only line of defense right now?
We've started flagging any application that requests BIND_ACCESSIBILITY_SERVICE immediately in our MDM (Mobile Device Manager) unless it's a verified accessibility tool. The real issue with Perseus isn't just the infection vector; it's the exfiltration speed. By scraping notes, they bypass the need for real-time OTP interception via notifications, which flies under the radar of many SMS relay detection rules.
From a red team perspective, the evolution to Notes app monitoring is smart. During phishing simulations, we still see users pasting credentials into Samsung Notes or Google Keep to 'save for later.'
For detection, I'd recommend checking for calls to ContentResolver querying specific Note URIs (like content://com.google.android.providers.notes) combined with network socket creation. That query pattern is a strong IoC.
User education is failing on this front. I've found senior devs writing crypto seed phrases in default note apps because they think it's 'air-gapped' from the browser.
We deployed Network Security for Mobile (NSM) agents that inspect TLS traffic, but Perseus likely uses standard SSL/TLS. The dropper apps are the weak link—we've had to block third-party app store sideloading entirely for our corporate fleet to mitigate this DTO risk.
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access