Android Banking Trojan “Perseus” Embedded in IPTV Apps Targets Turkish and Italian Users, Harvesting Credentials and Personal Notes
What Happened — Researchers at ThreatFabric uncovered a new Android malware family, Perseus, that is being distributed via unofficial IPTV streaming apps. The trojan overlays fake login screens, logs keystrokes, and extracts data from note‑taking apps such as Google Keep, Evernote, and Simple Notes.
Why It Matters for TPRM —
- Third‑party mobile apps can become a covert entry point to corporate credentials and sensitive notes.
- Compromised personal notes often contain passwords, recovery phrases, and financial details that can be reused against partner services.
- The abuse of sideloaded IPTV apps highlights the need for strict mobile‑app vetting in supply‑chain risk programs.
Who Is Affected — Consumers in Turkey and Italy; by extension, any organization that allows BYOD Android devices or supplies corporate‑issued Android phones.
Recommended Actions — Review and restrict the installation of non‑official Android apps, enforce mobile‑device management (MDM) policies that block sideloading, and deploy endpoint‑detection‑and‑response (EDR) solutions capable of spotting overlay attacks and keyloggers.
Technical Notes — Perseus repurposes leaked Cerberus source code, uses overlay UI attacks and keylogging to capture credentials, and scans for note‑taking apps to exfiltrate stored content. Distribution occurs through APKs downloaded outside Google Play, leveraging the popularity of pirated IPTV services. Source: The Record