Medusa Banking Trojan Strikes Again: New Campaigns Target Global Users
After almost a year of lying low, the notorious Medusa banking trojan for Android is back, hitting users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey. This resurgence has been under the radar since May, with the malware sporting compact variants that need fewer permissions and boast new features to directly initiate transactions from infected devices.
What is Medusa?
Also known as TangleBot, Medusa is a potent Android malware-as-a-service (MaaS) discovered in 2020. It offers malicious capabilities like keylogging, screen controls, and SMS manipulation. Despite sharing its name with other cyber threats, this operation is distinct from the Medusa ransomware gang and the Mirai-based botnet used for DDoS attacks.
New Campaign Insights
Cleafy, a leading online fraud management company, recently uncovered these fresh Medusa campaigns. The malware is now lighter, needing fewer device permissions, and comes with full-screen overlay and screenshot capturing features.
Recent Campaign Findings
- First Evidence: The new Medusa variants surfaced in July 2023, utilizing SMS phishing (“smishing”) to install the malware through fake apps.
- Campaigns & Botnets: Cleafy identified 24 campaigns, linked to five botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY). These botnets distributed malicious apps, including fake Chrome browsers, a 5G connectivity app, and a fake streaming app called 4K Sports—perfect bait during the UEFA EURO 2024 championship.
- Target Regions: The UNKN botnet, in particular, focuses on Europe, especially France, Italy, Spain, and the UK.
Centralized Command & Control
All Medusa operations are managed through a central infrastructure that dynamically fetches URLs for command and control (C2) servers from public social media profiles.
New Medusa Variant Features
The latest Medusa variant has minimized its footprint, requesting only essential permissions but still requiring Android’s Accessibility Services. It can still access the victim’s contact list and send SMS, crucial for its spread.
New Commands:
- destroyo: Uninstall a specific application
- permdrawover: Request ‘Drawing Over’ permission
- setoverlay: Set a black screen overlay
- take_scr: Take a screenshot
- update_sec: Update user secret
The ‘setoverlay’ command is particularly sneaky, making the device appear locked or shut off while malicious activities occur in the background. The new screenshot-capturing ability also lets attackers steal sensitive information directly from infected devices.
Growing Threat
The Medusa trojan is becoming stealthier and more widespread, setting the stage for more massive deployments and higher victim counts. Though Cleafy hasn’t spotted these dropper apps on Google Play yet, the growing number of cybercriminals joining this MaaS operation means their distribution methods will likely become more sophisticated.
Stay vigilant, keep your devices updated, and avoid downloading suspicious apps to protect yourself from these evolving threats.