Medusa, an Android banking Trojan that had been lurking in the background for about a year, has reappeared, experts warn
A new, lightweight Medusa variant has been seen being used by multiple threat actors and targeting victims in numerous countries around the world, according to cybersecurity researchers at Cleafy.
In their report, the researchers say they recently observed an increase in installations of a new app called “4K Sports.” Later research revealed that the app was an evolution of Medusa, with significant changes in command infrastructure and capabilities.
Expand goals
Most notably, the new variant asks for fewer permissions, making it less detectable. It still asks for Accessibility Services, which should always be a red flag. Other notable mentions include Broadcasting SMS, Internet Foreground Service, and Package Management.
A total of 17 commands have been removed and five new ones have been added, including setting a black screen overlay, taking screenshots, and more.
Using the new Medusa, five different botnets were identified, each with unique operational goals and geographic targets. These are called UNKN, AFETZEDE, ANAKONDA, PEMBE and TONY, and their targets were mainly in Canada, Spain, France, Italy, Great Britain, the US and Turkey.
To spread Medusa, the botnets most likely use droppers, the researchers said. However, the droppers have not yet been found in the Google Play Store, which significantly reduces the reach. However, special websites, social media channels, phishing and other methods are still viable and can still result in hundreds of thousands of downloads.
The Medusa banking Trojan, not to be confused with the ransomware or the Mirai-based botnet of the same name, is an advanced piece of malware primarily designed to attack financial institutions and facilitate banking fraud. It was first identified in 2020 and targeted Turkish financial institutions. By 2022, Medusa had launched major campaigns in North America and Europe.