Cyber Defense Advisors

New Medusa Android Trojan Targets Banking Users Across 7 Countries

Cybersecurity researchers have discovered an updated version of an Android banking trojan called Medusa that has been used to target users in Canada, France, Italy, Spain, Turkey, the U.K., and the U.S.

The new fraud campaigns, observed in May 2024 and active since July 2023, manifested through five different botnets operated by various affiliates, cybersecurity firm Cleafy said in an analysis published last week.

The new Medusa samples feature a “lightweight permission set and new features, such as the ability to display a full-screen overlay and remotely uninstall applications,” security researchers Simone Mattia and Federico Valentini said.

Medusa, also known as TangleBot, is a sophisticated Android malware first discovered in July 2020 targeting financial entities in Turkey. It comes with capabilities to read SMS messages, log keystrokes, capture screenshots, record calls, share the device screen in real-time, and perform unauthorized fund transfers using overlay attacks to steal banking credentials.

In February 2022, ThreatFabric uncovered Medusa campaigns leveraging similar delivery mechanisms as that of FluBot (aka Cabassous) by masquerading the malware as seemingly harmless package delivery and utility apps. It’s suspected that the threat actors behind the Trojan are from Turkey.

Cleafy’s latest analysis reveals not only improvements to the malware, but also the use of dropper apps to disseminate Medusa under the guise of fake updates. Furthermore, legitimate services like Telegram and X are used as dead drop resolvers to retrieve the command-and-control (C2) server used for data exfiltration.

A notable change is the reduction in the number of permissions sought in an apparent effort to lower the chances of detection. That said, it still requires Android’s accessibility services API, which allows it to stealthily enable other permissions as required and avoid raising user suspicion.

Another modification is the ability to set a black screen overlay on the victim’s device to give the impression that the device is locked or powered off and use it as a cover to carry out malicious activities.

Medusa botnet clusters typically rely on tried-and-tested approaches such as phishing to spread the malware. However, newer waves have been observed propagating it via dropper apps downloaded from untrusted sources, underscoring continued efforts on the part of threat actors to evolve their tactics.

“Minimizing the required permissions evades detection and appears more benign, enhancing its ability to operate undetected for extended periods,” the researchers said. “Geographically, the malware is expanding into new regions, such as Italy and France, indicating a deliberate effort to diversify its victim pool and broaden its attack surface.”

The development comes as Symantec revealed that fictitious Chrome browser updates for Android are being used as a lure to drop the Cerberus banking trojan. Similar campaigns distributing bogus Telegram apps via phony websites (“telegroms[.]icu”) have also been observed distributing another Android malware dubbed SpyMax.

Once installed, the app prompts the user to enable the accessibility services, allowing it to gather keystrokes, precise locations, and even the speed at which the device is moving. The collected information is then compressed and exported to an encoded C2 server.

“SpyMax is a remote administration tool (RAT) that has the capability to gather personal/private information from the infected device without consent from the user and sends the same to a remote threat actor,” K7 Security Labs said. “This enables the threat actors to control victims’ devices that impacts the confidentiality and integrity of the victim’s privacy and data.”

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.