Latest Medusa Android Trojan Aiming at Banking Users in Seven Countries
Cybersecurity experts have unearthed a new iteration of an Android banking trojan known as Medusa that has been deployed to target individuals in Canada, France, Italy, Spain, Turkey, the United Kingdom, and the United States.
The updated fraudulent activities, which were identified in May 2024 and have been ongoing since July 2023, were initiated by five distinct botnets managed by different associates, as per an evaluation released by cybersecurity company Cleafy last week.
The fresh Medusa variants come with a “basic permission set and new functions, including the capacity to exhibit a full-screen overlay and uninstall applications remotely,” mentioned security researchers Simone Mattia and Federico Valentini.
Medusa, also recognized as TangleBot, is an intricate Android malicious software that was initially detected in July 2020 aiming financial institutions in Turkey. It possesses the capability to go through SMS messages, log keystrokes, capture screenshots, record calls, stream the device screen live, and execute illicit fund transfers via overlay attacks to confiscate banking credentials.
In February 2022, ThreatFabric revealed Medusa operations utilizing analogous delivery mechanisms to FluBot (also known as Cabassous) by camouflaging the malware as apparently innocuous parcel delivery and utility applications. It is suspected that the malevolent actors linked to the trojan are from Turkey.
The most recent analysis by Cleafy not only points out enhancements in the malware but also the utilization of dropper applications to disperse Medusa under the pretense of fabricated updates. Furthermore, reputable services like Telegram and X are employed as dead drop resolvers to access the command-and-control (C2) server for data exfiltration.
A noteworthy adjustment is the decrease in the number of permissions demanded in an evident endeavor to reduce the chances of detection. Nevertheless, it still necessitates Android’s accessibility services API, permitting it to discreetly activate other permissions as needed and avoid arousing suspicion among users.
Another alteration is the capacity to impose a black screen overlay on the target’s device to simulate that the device is locked or turned off and leverage it as a facade to conduct malevolent operations.
Typically, Medusa botnet clusters depend on traditional methods like phishing to spread the malware. Nevertheless, more recent surges have been sighted circulating it through dropper applications downloaded from untrustworthy origins, showcasing a continual progression in the strategies utilized by malevolent actors.
“By minimizing the necessary permissions, the trojan manages to avoid identification and appears more innocuous, thereby enhancing its capability to function clandestinely for prolonged periods,” mentioned the researchers. “In terms of geography, the malicious software is making headway into fresh territories such as Italy and France, signifying a purposeful attempt to broaden its victim base and increase its attack landscape.”
This development coincides with Symantec’s revelation that fabricated Chrome browser updates for Android are being utilized to deploy the Cerberus banking trojan. Comparable campaigns disseminating counterfeit Telegram applications through deceptive websites(“telegroms[.]icu”) have also been observed distributing another Android malware known as SpyMax.
Post installation, the application prompts the user to enable accessibility services, enabling it to collect keystrokes, precise locations, and even the device’s speed. The compiled data is subsequently compressed and sent to an encoded C2 server.
“SpyMax functions as a remote administration tool (RAT) with the capacity to amass personal/private data from the infected device without user consent and send it to a remote malicious actor,” stated K7 Security Labs reported. “This provides the threat actors control over victims’ devices, impacting their privacy and data confidentiality.”
About Author
