Cybersecurity researchers have discovered an updated version of an Android banking Trojan. Medusa It has been used to target users in Canada, France, Italy, Spain, Turkey, the UK and the US.
According to an analysis published last week by cybersecurity firm Cleafy, the new fraud campaign, observed in May 2024 and active since July 2023, occurred through five different botnets operated by various affiliates.
Security researchers Simone Mattia and Federico Valentini said the new Medusa samples come with a “lightweight set of permissions and new features, such as the ability to display a full-screen overlay or remotely uninstall applications.”
Medusa (aka TangleBot) is an advanced Android malware that was first discovered in July 2020 targeting financial institutions in Turkey. It has capabilities to steal banking credentials, including reading SMS messages, logging keystrokes, capturing screenshots, recording phone calls, sharing the device screen in real time, and performing fraudulent fund transfers through overlay attacks.
In February 2022, ThreatFabric discovered a Medusa campaign leveraging a similar delivery mechanism to FluBot (aka Cabassous) by disguising malware in seemingly benign package delivery and utility apps. The threat actor behind this Trojan is suspected to be from Turkey.
Cleafy’s latest analysis reveals that in addition to improving the malware, they are also using dropper apps to spread Medusa disguised as fake updates. Additionally, legitimate services such as Telegram and X are being used as dead drop resolvers to obtain command and control (C2) servers that are used for data exfiltration.
The notable change is that we’ve reduced the number of permissions requested to make it less likely to be detected, although Android’s Accessibility Services API is still required, which allows us to quietly enable other permissions if necessary and not arouse user suspicion.
Another change is the ability to place a black screen overlay on the victim’s device, giving the impression that the device is locked or powered off, providing a cover for carrying out malicious activity.
The Medusa botnet cluster typically leverages proven techniques such as phishing to spread its malware, however a new wave of spreading via dropper apps downloaded from untrusted sources has been observed, highlighting threat actors’ ongoing efforts to evolve their tactics.
“Minimizing the privileges required helps it evade detection, appearing more benign and increasing its ability to operate undetected for long periods of time,” the researchers said. “Geographically, the malware has expanded to new regions such as Italy and France, suggesting a deliberate effort to diversify its victim base and broaden its attack surface.”
This development comes after Symantec revealed that fake Chrome browser updates for Android are being used as decoys to plant the Cerberus banking Trojan. A similar campaign distributing a fake Telegram app via a fake website (“telegroms(.)icu”) has also been spotted distributing another Android malware called SpyMax.
Once installed, the app prompts the user to enable accessibility services, allowing it to collect keystrokes, precise location and even the device’s movement speed, which are then exported compressed and encoded to the C2 server.
“SpyMax is a remote administration tool (RAT) with the ability to collect personal and private information from infected devices without the user’s consent and transmit it to remote threat actors,” K7 Security Labs said. “This allows threat actors to gain control over the victim’s device, impacting the victim’s privacy and the confidentiality and integrity of their data.”
