Perseus Android Malware Scans Google Keep and Samsung Notes for Passwords

A newly discovered Android malware strain named Perseus is actively targeting popular note-taking applications to steal sensitive user data. Discovered by the cybersecurity firm ThreatFabric, the malicious software hides within third-party IPTV apps to systematically harvest passwords and crypto recovery phrases. This report serves as a direct warning for Android users who sideload applications from unofficial sources, highlighting the urgent need to audit device permissions and secure personal notes.

The new malware builds upon the foundations of its predecessors, Cerberus and Phoenix, but introduces highly targeted data extraction capabilities. Perseus exploits accessibility-based remote sessions to capture real-time screenshots, simulate screen taps, and launch applications without user consent. Furthermore, the malware can toggle a black screen overlay to completely hide its malicious device activity from the victim while it operates in the background.

What makes the Perseus Android malware particularly distinctive is its ability to systematically explore note-taking applications without any manual involvement from the threat actors. The malware features a baked-in command that, once triggered, automatically scans and records the contents of notes, searching for high-value personal and financial information. According to ThreatFabric, the malware specifically targets the following applications:

• Google Keep
• Xiaomi Notes
• Samsung Notes
• ColorNote Notepad Notes
• Evernote - Note Organizer
• Microsoft OneNote
• Simple Notes Pro
• Simple Notes

Currently, Perseus is propagating through applications masquerading as legitimate IPTV streaming services. These malicious applications are primarily distributed outside the official Google Play Store, targeting users who are more likely to bypass Android security warnings and grant invasive permission requests. To mitigate this threat, security experts strongly advise users to keep the Play Protect feature enabled and to strictly avoid downloading unnecessary streaming applications from unverified third-party sources.

The shift toward targeting note-taking applications represents a logical, albeit dangerous, evolution in the mobile threat landscape. Many users treat apps like Google Keep or Samsung Notes as makeshift, unencrypted password managers, making them an absolute goldmine for threat actors seeking crypto recovery phrases and banking PINs. The success of the Perseus malware underscores a persistent vulnerability within the Android ecosystem: the continuous abuse of Accessibility Services. Until Google implements stricter sandboxing or limits how sideloaded apps interact with accessibility APIs, users must remain hyper-vigilant about the permissions they grant to unverified software.

How does the Perseus malware infect Android devices?
The malware primarily spreads through fake IPTV streaming applications that users download and sideload from outside the official Google Play Store.

Which applications are targeted by this malware?
Perseus specifically targets popular note-taking apps, including Google Keep, Samsung Notes, Microsoft OneNote, and Evernote, to extract sensitive text.

How can I protect my smartphone from this threat?
Avoid downloading applications from unverified third-party sources, ensure that Google Play Protect is actively scanning your device, and never grant Accessibility permissions to untrusted apps.