In Short:
A dangerous banking trojan called Medusa, first detected in 2020, has returned with new upgrades making it more threatening. This malware targets Android devices in countries like Canada, France, Italy, Spain, Turkey, the UK, and the US. Medusa steals money by attacking banking apps and can now even create a black screen on devices to hide its activities. Users are advised to be cautious of suspicious links and apps.
Medusa banking trojan reemerges with new dangerous upgrades
Reports have surfaced regarding the return of Medusa, a banking trojan first identified in 2020, with several new upgrades that make it even more threatening than before. The new variant of the malware is targeting a wider range of regions compared to the original version, with cybersecurity firm Cleafy detecting its presence in Canada, France, Italy, Spain, Turkey, the UK, and the US. Medusa primarily targets Google’s Android operating system, putting smartphone owners at risk as it attacks banking apps on the device and can carry out on-device fraud.
New variants of Medusa banking trojan discovered
Cleafy’s latest report reveals the discovery of new fraud campaigns involving the Medusa banking trojan, which had gone unnoticed for almost a year. Medusa belongs to the category of TangleBot Android malware, capable of infecting a device and granting attackers extensive control over it. While this type of malware can be used for various malicious activities like stealing personal information and spying, Medusa specifically focuses on attacking banking apps to extract money from victims.
The original version of Medusa boasted powerful features such as remote access trojan (RAT) capability, allowing attackers to control the screen and read or write SMS on the device. Additionally, it included a keylogger, enabling it to carry out on-device fraud by recording sensitive information.
However, the new variant raises concerns with its enhanced capabilities. The cybersecurity firm identified 17 commands present in the older version of the trojan that were removed in the latest iteration, aimed at reducing the permissions required in the bundled file to avoid raising suspicions. An added upgrade is the ability to overlay a black screen on the infected device, deceiving users into thinking the device is either locked or turned off while the trojan executes its malicious activities.
Threat actors are also using new delivery methods to infect devices, moving away from SMS links to deploying dropper apps disguised as legitimate updates that install Medusa upon installation. Despite these efforts, the report emphasizes that the malware has not infiltrated the Google Play store.
Upon installation, the app prompts users to enable accessibility services to collect sensor data and keystrokes, which are then compressed and sent to an encoded C2 server. Once enough data is gathered, threat actors can wield remote access to take control of the device and engage in financial fraud.
Android users are advised to exercise caution by refraining from clicking on unknown URLs shared via SMS, messaging apps, or social media platforms. It is also recommended to avoid downloading apps from untrusted sources and stick to the Google Play store for app downloads and updates to minimize the risk of falling victim to Medusa or similar threats.
