Medusa Banking Trojan Makes Comeback With Upgrades Targeting Android Devices in Seven Countries

Medusa, a banking trojan that was first identified in 2020, has reportedly returned with several new upgrades that make it more threatening. The new variant of the malware is also said to be targeting more regions than the original version. A cybersecurity firm has detected the trojan active in Canada, France, Italy, Spain, Turkey, the UK, and the US. Medusa primarily attacks Google's Android operating system, putting smartphone owners at risk. Like any banking trojan, it goes after the banking apps on the device and can even perform on-device frauds.

New variants of Medusa banking trojan discovered

Cybersecurity firm Cleafy reports that new fraud campaigns involving the Medusa banking trojan were spotted in May after remaining under the radar for almost a year. Medusa is a type of TangleBot — an Android malware that can infect a device and give the attackers a wide range of control over it. While they can be used for stealing personal information and spying on individuals, Medusa, being a banking trojan, mainly attacks banking apps and steals money from victims.

The original version of Medusa was equipped with powerful capabilities. For instance, it had the remote access trojan (RAT) capability that allowed it to grant the attacker screen controls and the ability to read and write SMS. It also came with a keylogger and the combination allowed it to perform one of the most dangerous fraud scenarios — on-device fraud, according to the firm.

However, the new variant is said to be even more dangerous. The cybersecurity firm found that 17 commands that existed in the older malware were removed in the latest Trojan. This was done to minimise the requirement of permissions in the bundled file, raising less suspicion. Another upgrade is that it can set a black screen overlay on the attacked device, which can make the user think the device is locked or powered off, while the trojan performs its malicious activities.

Threat actors are also reportedly using new delivery mechanisms to infect devices. Earlier, these were spread via SMS links. But now, dropper apps (apps that appear to be legitimate but deploy the malware once installed) are being used to install Medusa under the guise of an update. However, the report highlighted that the malware makers have not been able to deploy Medusa via the Google Play store.

After being installed, the app flashes messages prompting the user to enable accessibility services to collect the sensor data and keystrokes. The data is then compressed and exported to an encoded C2 server. Once enough information has been collected, the threat actor can use remote access to take control of the device and commit financial fraud.

Android users are recommended to not click on URLs shared via SMS, messaging apps, or social media platforms by unknown senders. They should also be cautious while downloading apps from untrusted sources, or simply stick to the Google Play store to download and update apps.