The Perseus Android banking trojan (Cerberus-lineage) systematically targets note-taking applications—Google Keep, Samsung Notes, Xiaomi Notes, ColorNote, Evernote, Microsoft OneNote, and Simple Notes—to extract plaintext passwords, cryptocurrency seed phrases, and financial credentials stored in notes, a novel attack surface distinct from traditional overlay or keylogging techniques. Forty-two financial institutions across Turkey, Italy, Poland, Germany, and France and nine cryptocurrency platforms are primary institutional targets. Organizations should require immediate credential rotation for any passwords or seed phrases stored in note-taking apps on Android devices, enforce mobile security policies prohibiting plaintext credential storage in notes, and deploy or query mobile threat defense solutions for Cerberus-lineage behavioral indicators and Accessibility Service abuse.