Perseus Android Malware Targets Mobile Banking Users via Fake IPTV Apps

The rise of IPTV‑based malware reflects a broader shift in cyber‑crime: attackers are moving from exploiting software vulnerabilities to weaponizing everyday user behavior. By packaging malicious code inside popular streaming applications that are often sideloaded, threat actors bypass official app‑store reviews and tap into a trusted user expectation—instant video access. This distribution model, already prevalent in regions with high IPTV usage such as Turkey and Italy, lowers the barrier to infection and expands the attack surface beyond traditional app ecosystems.

Technically, the new Perseus variant demonstrates a sophisticated blend of old and new tactics. It inherits code from legacy families like Cerberus while adding Accessibility Service abuse to simulate legitimate interactions, enabling real‑time screen overlays that can capture banking credentials. A dedicated "scan_notes" command harvests data from note‑taking apps, extracting passwords, recovery phrases, and other sensitive information. Meanwhile, extensive environment checks—detecting emulators, debugging tools, and abnormal hardware metrics—allow the malware to remain dormant in sandboxes, evading conventional analysis tools.

For security teams, the emergence of this malware signals the need for a multi‑layered defense strategy. Organizations should enforce strict policies against sideloaded applications, deploy mobile threat detection solutions that monitor Accessibility Service usage, and incorporate behavioral analytics to flag anomalous app activity. Users must be educated about the risks of unofficial app sources, and developers should consider hardening note‑taking and banking apps against overlay attacks. As mobile devices continue to serve as primary banking hubs, the industry must adapt to threats that prioritize context and control over simple credential theft.