This Android Malware Reads Your Notes App to Find Every Password You Stored There

You know you should use a password manager. You tell yourself you will set one up eventually. In the meantime, you type your Wi-Fi password into Google Keep, your bank login into Samsung Notes, and your crypto recovery phrase into a note titled "IMPORTANT do not delete." Researchers at ThreatFabric just found the first Android malware built specifically to find and steal exactly those notes.

The malware is called Perseus, and it represents a new category of Android threat. Previous banking trojans targeted login screens and payment apps. Perseus goes after the unstructured, unprotected text files where people actually store their most sensitive information.

How It Spreads

Perseus hides inside apps that look like IPTV streaming services, platforms that stream television content over the internet. These apps are distributed through phishing sites, not the Google Play Store, and target users who are looking for free or pirated streaming content.

The distribution method is deliberately calculated. People who sideload streaming apps from unofficial sources are accustomed to bypassing Android's security warnings and manually enabling installation from unknown sources. They expect the installation process to feel slightly unofficial, which means they are less likely to question suspicious permissions requests.

The campaign currently targets users in Turkey, Italy, Poland, Germany, France, the United Arab Emirates, and Portugal, though the malware's capabilities are not geographically restricted.

The Notes Scanning Feature

What makes Perseus unique is its scan_notes command. When activated from the attacker's control panel, the malware systematically reads through every note stored in these apps:

• Google Keep
• Samsung Notes
• Xiaomi Notes
• ColorNote Notepad Notes
• Evernote
• Simple Notes Pro
• Microsoft OneNote

ThreatFabric researchers confirmed this is the first time an Android malware family has been observed specifically targeting note taking applications to extract stored passwords, recovery phrases, and other sensitive text. Previous trojans focused on overlaying fake login screens on banking apps. Perseus skips that step entirely and goes straight to where people actually write down their credentials.

Full Device Takeover

Notes scanning is just one capability. Perseus is a full featured remote access trojan built on the leaked source code of Cerberus, a notorious Android banking trojan whose code was published in 2020. Since then, multiple malware families have evolved from the Cerberus codebase, including Alien and ERMAC. Perseus represents the latest and most capable branch of this lineage.

Its complete feature set includes:

• VNC and HVNC access for real time screen monitoring and remote control without the user seeing anything
• Keystroke logging that captures everything typed on the device
• Overlay attacks on financial apps, displaying fake login screens over legitimate banking interfaces
• Black screen overlays that hide what the attacker is doing while they control the device
• Audio muting to prevent notification sounds from alerting the victim
• Remote app installation including force enabling installation from unknown sources

Researchers also found evidence that the developers used large language models during development. Extensive in app logging with emoji annotations suggests AI assisted coding, a trend that is making malware development faster and more accessible to less skilled threat actors. This mirrors the broader pattern of ransomware gangs using AI to write their malware.

Why Notes Apps Are the Perfect Target

Password managers encrypt your credentials behind a master password and store them in a format that is useless without decryption. Notes apps do none of that. Your passwords sit in plain text, searchable, exportable, and readable by any app with accessibility permissions.

Security researchers have long warned that storing passwords in notes apps is roughly equivalent to writing them on a sticky note. The difference is that a sticky note on your monitor can only be read by someone physically present. A compromised notes app can be read by anyone with remote access to your device, from anywhere in the world.

The risk extends beyond passwords. People store recovery phrases for cryptocurrency wallets, two factor authentication backup codes, Social Security numbers, and other sensitive data in notes apps. Perseus targets all of it.

How to Protect Yourself

The most important step is also the simplest: stop storing passwords in notes apps.

• Use a password manager. Apps like Bitwarden, 1Password, or the built in Google Password Manager encrypt your credentials and autofill them without exposing the actual text.
• Move existing passwords out of notes. Search your notes apps for entries containing passwords, PINs, recovery phrases, or account numbers. Transfer them to a password manager, then delete the notes.
• Never sideload streaming apps. If a streaming service is not available on the Google Play Store, there is usually a reason. Pirated IPTV apps are one of the primary delivery mechanisms for Android malware.
• Keep Google Play Protect enabled. While it is not perfect, Play Protect provides a baseline defense against known malware families and will flag many sideloaded threats.
• Review accessibility permissions. Go to Settings, then Accessibility on your Android device and review which apps have accessibility access. This permission is what Perseus and similar malware abuse to read screen content. Android 17 is locking down this exact permission, but until that update reaches your phone, manual review is your best defense.