Android FluBot Infrastructure Used to Distribute Medusa Malware

Security researchers are warning that the established infrastructure of the infamous Android FluBot malware is being used to distribute a malicious payload going under the name "Medusa".

A team with Dutch mobile security company ThreatFabric recently revealed that bad actors are using FluBot's existing phishing SMS infrastructure to spread a new strain of Android malware known as Medusa. The campaign spreading Medusa is running alongside ongoing attempts to spread FluBot.

FluBot - Old Dog, New Tricks

The most common way FluBot is distributed is phishing, but using SMS instead of emails, as the malware targets Android mobile users. The SMS messages use a simple bait - getting the user to tap a link that is contained in a fake "you missed your courier delivery" notification message.

FluBot has a scary range of capabilities, ranging from turning the victim device into a bot and adding it to the existing network of zombie devices, to stealing banking information and various login credentials from the compromised device. Once deployed, the FluBot malware also spams the fake malicious SMS to all contacts found on the original victim's phone, in an attempt to propagate the infection further and faster.

ThreatFabric found that Medusa was being distributed using the same app and package names as FluBot and settling into an established and tested delivery infrastructure allowed the new malware to infect around 1,500 phones that received the usual fake "missed DHL delivery" message.

Medusa has been spotted infecting victims in North America and Europe, with cases in Canada, the US, and Turkey. Initially, the malware attempted to target Turkish financial institutions and organizations but later moved on to the west, targeting much more numerous populations and quickly racking up infections as a result.

Medusa and FluBot Improving

Medusa, similar to FluBot, is at its heart a mobile banking Trojan that also has spying capabilities. The malware abuses Android's Accessibility Service to set the value of any text box to whatever string the malware authors want. This means that the interface box containing the account of a bank transfer recipient could be easily switched to the account held by the hackers and the sender will be none the wiser.

Even though Medusa is being distributed through FluBot's established infrastructure, FluBot is evolving as well. A recent update added functionality that allows the malware to hijack the replies to push notifications. This extra layer of malicious capabilities can allow the malware to prevent the proper use of MFA on the victim device.