Medusa banking Trojan returns with upgrade, targeting Android devices in seven countries


Medusa, a banking Trojan that was first identified in 2020, is reportedly back with several new upgrades that make it more dangerous. The new version of the malware is also said to target more sectors than the original version. A cybersecurity firm has detected the Trojan active in Canada, France, Italy, Spain, Turkey, the UK, and the US. Medusa primarily attacks Google’s Android operating system, putting smartphone owners at risk. Like any banking Trojan, it attacks banking apps on the device and can even perform fraud on the device.

New variant of Medusa banking Trojan discovered

According to a report by cybersecurity firm Clefy, new fraud campaigns involving the Medusa banking Trojan were spotted in May after remaining under the radar for nearly a year. Medusa is a type of Tanglebot – an Android malware that can infect a device and give attackers extensive control over it. While they can be used to steal personal information and spy on individuals, Medusa, being a banking Trojan, primarily attacks banking apps and steals money from victims.

The original version of Medusa was equipped with powerful capabilities. For example, it had Remote Access Trojan (RAT) capability that allowed it to give the attacker screen control and the ability to read and write SMS. It also came with a keylogger and this combination allowed it to carry out one of the most dangerous fraud scenarios – on-device fraud, according to the firm.

However, the new variant is said to be even more dangerous. The cybersecurity firm found that 17 commands present in the old malware were removed in the latest Trojan. This was done to reduce the permissions required in the bundle file, thereby reducing suspicion. Another upgrade is that it can set a black screen overlay on the attacked device, making the user think that the device is locked or turned off while the Trojan performs its malicious activities.

The threat creators are also reportedly using new delivery mechanisms to infect devices. Earlier, these were spread via SMS links. But now, dropper apps (apps that look legitimate but deploy malware once installed) are being used to install Medusa under the guise of an update. However, the report highlights that the malware creators are not able to deploy Medusa through the Google Play Store.

Once installed, the app displays messages prompting the user to enable accessibility services to collect sensor data and keystrokes. The data is then compressed and exported to an encoded C2 server. Once enough information is collected, the threat actor can use remote access to control the device and commit financial fraud.

Android users are advised not to click on URLs shared by unknown senders via SMS, messaging apps, or social media platforms. They should also be cautious when downloading apps from untrusted sources, or simply stick to the Google Play Store to download and update apps.


Please enter your comment!
Please enter your name here

Share post:




More like this

A Side Sleeper Test & Review Popular Body Pillows (2024)

being a party This can be challenging for the...

How to Protect Your Startup from Email Scams

For years, it's been claimed that the "end of...