Medusa Mobile Malware

The Medusa banking Trojan has resurfaced after nearly a year of maintaining a lower profile, targeting countries including France, Italy, the United States, Canada, Spain, the United Kingdom and Turkey. This renewed activity, monitored since May, involves streamlined variants requiring fewer permissions and introducing new functionalities aimed at initiating transactions directly from compromised devices.

Also referred to as TangleBot, the Medusa banking Trojan is an Android Malware-as-a-Service (MaaS) discovered in 2020. This malware offers capabilities such as keylogging, screen manipulation and SMS control. Despite sharing the same name, this operation is distinct from the ransomware group and the Mirai-based botnet known for Distributed Denial-of-Service (DDoS) attacks.

Threatening Campaigns Deploying the Medusa Mobile Malware

The first sightings of the latest Medusa variants date back to July 2023, when researchers observed them in campaigns leveraging SMS phishing ('smishing') to distribute malware through dropper applications. A total of 24 campaigns employing these variants have been identified, linked to five distinct botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE and TONY), each responsible for delivering harmful applications.

The UNKN botnet is operated by a specific group of threat actors focused on targeting European countries, particularly France, Italy, Spain and the UK. Recent dropper applications used in these attacks include:

• A counterfeit Chrome browser.
• A purported 5G connectivity application.
• A fake streaming application named 4K Sports.

The choice of the 4K Sports application as bait coincides with the ongoing UEFA EURO 2024 championship, making it a timely lure.

Experts note that all these campaigns and botnets are managed through Medusa's central infrastructure, which dynamically retrieves Command-and-Control (C2) server URLs from publicly accessible social media profiles.

New Modifications in the Medusa Malware Versions

The creators of the Medusa malware have opted to minimize its impact on compromised devices by reducing the number of permissions it requires, though it still necessitates Android's Accessibility Services. Despite this reduction, the malware retains its ability to access the victim's contact list and send SMS messages, which remains a critical method for its distribution.

Analysis reveals that the malware authors have eliminated 17 commands from its previous iteration while introducing five new ones:

• Destroyo: uninstall a specific application
• Permdrawover: request 'Drawing Over' permission
• Setoverlay: apply a black screen overlay
• Take_scr: capture a screenshot
• Update_sec: update user secret

Of particular concern is the 'setoverlay' command, which enables remote attackers to execute deceptive maneuvers such as displaying a locked or powered-off screen to obscure threatening activities like unauthorized fund transfers occurring in the background.

The newly added capability to capture screenshots represents a significant enhancement, providing threat actors with a fresh method to extract sensitive information from compromised devices.

Medusa’s Operators are Expanding Their Focus

The Medusa mobile banking Trojan operation seems to be broadening its focus and adopting stealthier tactics, paving the way for larger-scale deployment and an increased number of victims. While researchers have not yet identified any of the dropper apps on Google Play, the growing participation of cybercriminals in Malware-as-a-Service (MaaS) suggests that distribution strategies will likely become more diverse and sophisticated.