HomeIntelligenceBrief
🔓 BREACH BRIEF🟠 High🔍 ThreatIntel

Android Malware “Perseus” Harvests Secrets from User Notes via Malicious IPTV Apps, Targeting Financial & Crypto Users in Turkey and Italy

ThreatFabric discovered Perseus, an Android malware family distributed through unofficial IPTV apps that scans note‑taking applications for passwords, recovery phrases, and financial data. The malware grants full remote control of infected devices, raising serious third‑party risk for financial institutions and crypto services in Turkey, Italy, and beyond.

🛡️ LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
🔍
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
bleepingcomputer.com

Android Malware “Perseus” Harvests Secrets from User Notes via Malicious IPTV Apps, Targeting Financial & Crypto Users in Turkey and Italy

What Happened – Researchers at ThreatFabric identified a new Android malware family, Perseus, being distributed through unofficial IPTV‑streaming apps. The malware scans note‑taking applications (Google Keep, Samsung Notes, Evernote, etc.) for passwords, recovery phrases, and financial data, then exfiltrates the information while granting the operator full remote control of the device.

Why It Matters for TPRM

  • Third‑party mobile apps used for business or employee personal devices can become a covert data‑exfiltration channel.
  • Credential theft from note‑apps can compromise corporate VPNs, cloud services, and crypto wallets tied to the organization.
  • The use of sideloaded APKs bypasses standard Play‑Store protections, exposing any entity that permits or does not restrict such installations.

Who Is Affected – Financial institutions, payment processors, and cryptocurrency service providers (primarily in Turkey and Italy); employees who install unofficial IPTV apps on corporate‑issued Android devices.

Recommended Actions

  • Enforce strict mobile‑app whitelisting and block sideloading of APKs on all corporate Android devices.
  • Deploy mobile‑endpoint protection that monitors Accessibility‑Service abuse and unusual UI‑automation behavior.
  • Conduct a review of any third‑party mobile applications (including IPTV services) that have access to corporate data or networks.
  • Educate users about the risks of installing apps from unofficial stores and the signs of malicious overlay or screenshot activity.

Technical Notes – Perseus leverages the Android Accessibility Service to capture screenshots, stream VNC sessions, simulate UI interactions, and overlay black screens to hide activity. It bypasses Android 13+ sideloading restrictions using a known dropper also employed by Klopatra and Medusa malware. Two variants exist (Turkish and English); the English build shows AI‑generated code artifacts. Targeted note‑apps include Google Keep, Xiaomi Notes, Samsung Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/new-perseus-android-malware-checks-user-notes-for-secrets/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

🛡️

Monitor Your Vendor Risk with LiveThreat™

Get automated breach alerts, security scorecards, and intelligence briefs when your vendors are compromised.

Start Free Trial → Learn About Scorecards
← All Intelligence Briefs Breach Watch Feed →