After a year of keeping a low profile, a new wave of Medusa banking trojan infections have emerged, targeting users in seven countries, including the United States, United Kingdom, Canada, France, Italy, Spain, and Turkey.
The latest Medusa variants are even more dangerous and capable of initiating transactions directly on compromised Android devices. Learn more about this malware and what you can do to stay safe below!
Understanding Medusa’s Latest Tactics
Discovered in 2020, the Medusa banking trojan (also called TangleBot) is a malware-as-a-service available on the dark web that provides capabilities like SMS manipulation, screen control, and keylogging.
The threat intelligence team at Cleafy recently identified new malware variants of Medusa, which are lighter, require fewer device permissions, and include features like screenshot capturing and full-screen overlaying.
Recent Exploits and Campaigns
The latest variants of the Medusa malware were first spotted by researchers in July 2023, according to Cleafy. These variants are spread through SMS phishing tactics to install malware via dropper apps.
The team identified 24 campaigns leveraging this malware, traced back to five different botnets named UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, responsible for distributing these harmful apps.
Among the dropper apps used in these attacks were a counterfeit Chrome browser, a 5G connectivity app, and a fake streaming service called 4K Sports. With the UEFA Euro 2024 championship currently taking place, using the 4K Sports app as a lure seems particularly calculated.
Cleafy notes that all these campaigns and botnets are managed through Medusa’s central system, which smartly pulls the URLs for the command and control (C2) server from public social media profiles.
Technical Evolution of Medusa
Cleafy’s research reveals that the creators of the malware removed 17 commands from its earlier iteration and introduced five new ones:
| Command | Description |
| destroyo | Uninstalls a specific app |
| permdrawover | Seeks permission to ‘Draw Over’ apps |
| setoverlay | Applies a black screen overlay |
| take_scr | Captures a screenshot |
| update_sec | Updates user secret |
The ‘setoverlay’ command is particularly significant because it enables remote attackers to carry out deceptive maneuvers, like making the device seem locked or turned off, while malicious activities run undetected in the background.
Additionally, the newly added feature that allows for screenshot capture is crucial, as it provides attackers with a fresh method to extract sensitive information from compromised devices.
Final Word
The Medusa banking trojan commonly spreads via dropper apps, so it is important to exercise caution when installing new apps on your smartphone.
Choose reliable sources like the Google Play Store, Amazon Appstore, and the Samsung Galaxy Store to avoid malware risks associated with sideloading apps.
Additionally, make sure to enable Google Play Protect on your Android device to continuously scan all apps for any malware.
Anas Hasan
June 26, 2024
6 days ago
