Medusa, a banking Trojan first identified in 2020, is reportedly back with several new upgrades that make it even more dangerous. The new variant of the malware is also said to target more regions than the original version. The cyber security firm discovered the Trojan active in Canada, France, Italy, Spain, Turkey, the UK and the US. Medusa primarily attacks Google’s Android operating system, putting smartphone owners at risk. Like any banking trojan, it monitors the banking applications on the device and can even perform fraud on the device.
New variants of the Medusa banking trojan discovered
Cybersecurity firm Cleafy reports that new fraud campaigns involving the Medusa banking trojan were spotted in May after remaining under the radar for nearly a year. Medusa is a type of TangleBot — Android malware that can infect a device and give attackers a wide range of control over it. Although it can be used to steal personal information and spy on individuals, Medusa, as a banking Trojan, mainly attacks banking applications and steals money from victims.
The original version of Medusa was equipped with powerful capabilities. For example, it had a remote access trojan (RAT) capability that allowed it to grant the attacker screen controls and the ability to read and write SMS. It also came with a keylogger, a combination that allowed it to perform one of the most dangerous fraud scenarios – device fraud, according to the company.
However, the new variant is allegedly even more dangerous. The cybersecurity firm found that 17 commands that existed in the older malware were removed in the latest Trojan. This is done to minimize the permission request in the bundled file, causing less suspicion. Another upgrade is that it can put a black screen on the attacked device, which can trick the user into thinking that the device is locked or turned off, while the Trojan performs its malicious activities.
Threat actors are also reportedly using new delivery mechanisms to infect devices. Previously, they were spread through SMS connections. But now dropper apps (apps that appear legitimate but install malware after installation) are being used to install Medusa under the guise of updates. However, the report noted that malware makers failed to deploy Medusa via the Google Play Store.
Once installed, the app displays messages asking the user to enable accessibility services to collect sensor and key data. The data is then compressed and exported to an encrypted C2 server. Once enough information is gathered, a threat actor can use remote access to take control of the device and commit financial fraud.
Android users are advised not to click on URLs shared by unknown senders via SMS, messaging apps or social media platforms. They should also be careful about downloading apps from untrusted sources or simply stick to the Google Play store for downloading and updating apps.
