Medusa, a banking Trojan first identified in 2020, has reportedly returned with several new upgrades that make it even more threatening. The new variant of the malware is also said to target more regions than the original version. A cybersecurity firm has detected the Trojan actively in Canada, France, Italy, Spain, Turkey, the UK, and the US. Medusa primarily attacks Google’s Android operating system, putting smartphone owners at risk. Like any banking Trojan, it targets the banking apps on the device and can even perform fraud on the device.
New variants of Medusa banking trojan discovered
Cybersecurity company Cleafy reports that new fraud campaigns involving the Medusa banking trojan were spotted in May after flying under the radar for almost a year. Medusa is a type of TangleBot — an Android malware that can infect a device and give attackers a wide range of control over it. While they can be used to steal personal information and spy on people, Medusa, a banking trojan, primarily attacks banking apps and steals money from victims.
The original version of Medusa came equipped with powerful capabilities. For example, it had the remote access trojan (RAT) capability that allowed the attacker to gain screen control and the ability to read and write text messages. It also came with a keylogger, and the combination allowed it to perform one of the most dangerous fraud scenarios: on-device fraud, the company said.
However, the new variant is said to be even more dangerous. The cybersecurity firm discovered that 17 commands that were present in the older malware have been removed in the latest Trojan. This was done to minimize the required permissions in the bundled file, thus raising less suspicion. Another upgrade is that it can set a black screen overlay on the attacked device, making the user think that the device is locked or turned off, while the Trojan is performing its malicious activities.
Threat actors are also reportedly using new delivery mechanisms to infect devices. Previously, these were distributed via SMS links. But now, dropper apps (apps that appear legitimate but deploy the malware once installed) are being used to install Medusa under the guise of an update. However, the report highlighted that malware authors were unable to deploy Medusa via the Google Play Store.
Once installed, the app flashes messages asking the user to enable Accessibility Services to collect sensor data and keystrokes. The data is then compressed and exported to an encrypted C2 server. Once enough information is gathered, the threat actor can use remote access to take control of the device and commit financial fraud.
Android users are advised to avoid clicking on URLs shared via SMS, messaging apps, or social media platforms from unknown senders. They should also be careful while downloading apps from untrusted sources, or simply stick to the Google Play Store to download and update apps.
