Perseus Malware: The New Threat to Android Notes

On March 19, 2026, cybersecurity firm Group-IB released a technical report detailing a new and highly effective Android malware family dubbed Perseus. Unlike traditional trojans that rely on overlay attacks or keylogging, Perseus employs a unique strategy: it specifically targets notes and journaling applications to exfiltrate highly sensitive financial credentials and cryptocurrency private keys.

The Psychology of the Attack

The developers of Perseus have correctly identified a major weakness in modern security: the human habit of storing "sensitive but temporary" information in digital notes. Despite years of warnings from security professionals, millions of users still keep banking passwords, PIN codes, and seed phrases in apps like Google Keep, Samsung Notes, and Evernote for easy access.

Perseus exploits this trust. Once installed via a malicious "system update" or a compromised utility app, the malware requests **Accessibility Services** permissions. Once granted, it doesn't just watch your screen; it programmatically scans the content of every note-taking app installed on the device, looking for keywords like "password," "login," "mnemonic," and "wallet."

Technical Capabilities: Beyond Simple Scanning

Perseus is not just a text scraper. It includes a sophisticated **Optical Character Recognition (OCR)** engine that can extract text from screenshots and images stored within notes. This means that even if you took a photo of your recovery phrase instead of typing it, Perseus can still steal it.

Furthermore, the malware includes a "Stealth Exfiltration" module. Instead of sending large batches of data that might trigger network monitoring tools, Perseus encrypts the stolen snippets and hides them within harmless-looking telemetry pings to its Command and Control (C2) server. This allows it to remain undetected on a device for months while slowly draining the victim's digital life.

Targeted Apps and Distribution

The Group-IB report identifies several high-profile targets for Perseus, including:

• Google Keep
• Samsung Notes
• Microsoft OneNote
• Evernote
• Notion (Android Client)
• Standard Notes (Encrypted notes are targeted via memory scraping during decryption)

The malware is primarily distributed through **smishing (SMS phishing)** campaigns. Users receive a message claiming their "Android Security Certificate" has expired and are directed to a legitimate-looking landing page to download a "repair tool." Once the user grants the necessary permissions, Perseus begins its silent work.

The Banking Connection

While the notes scanning is its unique feature, Perseus remains a potent banking trojan at its core. It includes modules for intercepting 2FA SMS messages and can perform **Account Takeover (ATO)** by using the stolen credentials to log into banking apps directly from the victim's device. By mirroring the victim's device fingerprint and location, the malware can often bypass traditional fraud detection systems.

How to Protect Your Android Device

The rise of Perseus highlights the need for a shift in how we manage sensitive data on mobile devices. Here are the critical steps to secure your information:

1. Never Store Passwords in Notes: Use a dedicated, audited password manager with biometric locking.
2. Audit Accessibility Permissions: Go to Settings > Accessibility and ensure only trusted, essential apps have access. If an app you don't recognize has permission, revoke it immediately.
3. Enable Google Play Protect: Ensure your device's built-in malware scanner is active and up to date.
4. Beware of Side-Loading: Only download apps from the official Google Play Store. Never install APKs from SMS links or unknown websites.
5. Use Physical Recovery Keys: For cryptocurrency and sensitive accounts, use physical hardware wallets and recovery sheets stored offline in a physical safe.

Conclusion

Perseus represents a dangerous evolution in Android malware. By targeting the "digital junk drawer" of our note-taking apps, it bypasses many of the traditional security hurdles that protect our banking and crypto accounts. As we continue to integrate more of our lives into our mobile devices, the importance of digital hygiene has never been greater. Stay vigilant, audit your permissions, and move your secrets to a secure vault today.