Medusa Trojan Targets Banking Users in 7 Countries

Cybersecurity researchers have identified an updated version of the Medusa Android banking trojan, targeting users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. This new wave of attacks was spotted in May 2024 and has been ongoing since July 2023, involving five different botnets run by various affiliates.

The updated Medusa trojan has a streamlined permission set and new features, including the ability to display full-screen overlays and remotely uninstall applications. Medusa, also known as TangleBot, is a sophisticated Android malware that first emerged in July 2020, targeting financial institutions in Turkey.

It can read SMS messages, log keystrokes, capture screenshots, record calls, share the device screen in real-time, and conduct unauthorized fund transfers using overlay attacks to steal banking credentials.

In February 2022, ThreatFabric found that Medusa was being spread through tactics similar to those used by FluBot (also known as Cabassous), by disguising the malware as innocuous package delivery and utility apps. The attackers behind Medusa are suspected to be from Turkey.

Recent analysis highlights not only enhancements to the malware but also the use of dropper apps to distribute Medusa under the guise of fake updates. Additionally, legitimate services like Telegram and X are being used to retrieve the command-and-control (C2) server for data exfiltration.

A significant change in the new version is the reduction in requested permissions, likely to decrease the chances of detection. However, it still requires access to Android’s accessibility services API, which it uses to stealthily enable other permissions and avoid raising user suspicion.

Another update includes the ability to set a black screen overlay on the victim’s device, creating the illusion that the device is locked or powered off, allowing the malware to operate covertly.

Medusa botnet clusters typically spread the malware through phishing, but newer campaigns have been using dropper apps from untrusted sources, showing an evolution in their tactics. “Minimizing the required permissions helps the malware evade detection, making it appear more benign and allowing it to operate undetected for longer periods,” the researchers noted.

The malware is expanding to new regions, such as Italy and France, indicating a strategic effort to diversify its targets and expand its reach.

This development comes as fake Chrome browser updates for Android are being used to deliver the Cerberus banking trojan. Similarly, bogus Telegram apps from fake websites (“telegroms[.]icu”) have been distributing another Android malware called SpyMax.

Once installed, the app prompts users to enable accessibility services, allowing it to capture keystrokes, precise locations, and even the speed of the device. The collected information is then compressed and sent to an encoded C2 server. SpyMax is a remote administration tool (RAT) capable of gathering personal information from the infected device without the user’s consent and sending it to a remote threat actor.

To prevent infections from the Medusa Android banking trojan, users should only download apps from official app stores and avoid installing software from unknown sources. Additionally, users should be wary of granting extensive permissions to apps, especially accessibility services, and regularly review app permissions.

Using a reputable mobile security solution to scan for malware, being cautious of phishing attempts, and educating users about the risks associated with downloading untrusted apps are vital measures to protect against such sophisticated threats.