Medusa, a banking Trojan that was first identified in 2020, is back with several new updates that make it more threatening. The new variant of the malware is also said to target more regions than the original version. A cybersecurity firm has detected the trojan active in Canada, France, Italy, Spain, Turkey, the UK and the US. Medusa primarily attacks Google's Android operating system, putting smartphone owners at risk. Like any banking trojan, it goes after the banking apps on the device and can even perform fraud on the device.
New variants of the Medusa banking Trojan have been discovered
Cybersecurity firm Cleafy reports that new fraud campaigns involving the Medusa banking trojan were detected in May after remaining under the radar for nearly a year. Medusa is a type of TangleBot: Android malware that can infect a device and give attackers a wide range of control over it. Although they can be used to steal personal information and spy on people, Medusa, being a banking Trojan, mainly attacks banking applications and steals money from victims.
The original version of Medusa was equipped with powerful abilities. For example, it had a Remote Access Trojan (RAT) capability that allowed it to grant the attacker screen controls and the ability to read and write SMS. It also included a keylogger, and the combination allowed it to perform one of the most dangerous fraud scenarios: device fraud, according to the company.
However, the new variant is said to be even more dangerous. The cybersecurity firm found that 17 commands that existed in the old malware were removed in the latest Trojan. This was done to minimize the permission requirement on the bundled file, arousing less suspicion. Another update is that it can set a black screen overlay on the attacked device, which can make the user think that the device is locked or turned off, while the Trojan performs its malicious activities.
Threat actors are also using new delivery mechanisms to infect devices. Earlier, they were spread via SMS links. But now, dropper apps—apps that appear legitimate but deploy malware once installed—are being used to install Medusa under the guise of an update. However, the report highlighted that malware makers have been unable to deploy Medusa through the Google Play Store.
After installation, the app displays messages asking the user to enable accessibility services to collect sensor data and keystrokes. Data is compressed and exported to an encrypted C2 server. Once enough information has been gathered, the threat actor can use remote access to take control of the device and commit financial fraud.
Android users are advised not to click on URLs shared via SMS, messaging apps or social media platforms by unknown senders. They should also be cautious when downloading apps from untrusted sources or simply sticking to the Google Play Store to download and update apps.
