New Medusa malwre variant targets Android users in seven countries

Medusa malware is back

Medusa, an Android banking trojan, has resurfaced with a new variant, targeting users in seven countries: Canada, France, Italy, Spain, Turkey, the UK, and the US. Also known as TangleBot, this malware has been observed by cybersecurity experts from Cleafy.^[1]

It first emerged in 2020, primarily targeting financial institutions in Turkey, and included features like screenshot taking, keylogging, SMS modification, and more.

Since then, it has evolved, reducing its permissions and introducing new features to avoid detection. Its operators use an Android malware-as-a-service (MaaS)^[2] business model that seems to be exceptionally successful.

Black screen overlay is the most significant malware improvement helping mask malicious activities

The latest Medusa variants are lightweight and request fewer permissions, making them less detectable. However, they still require Android's Accessibility Services, which should always be a red flag for users. Cleafy researchers explained further:

By exploiting accessibility services, Medusa extends its functionality beyond simple remote control. This allows the Trojan to automate several features commonly associated with modern banking Trojans, including continuous Key-Logging and Dynamic Overlay Attacks.

Notable new features include the ability to display a black screen overlay and capture screenshots, allowing threat actors to perform malicious activities unnoticed. These changes make Medusa more stealthy and dangerous, as it can now operate for extended periods without raising suspicion.

In addition to these features, the new variants have removed 17 previous commands and added five new ones:

1. Destroyo: Uninstall a specific application.
2. Permdrawover: Request “Drawing Over” permission.
3. Setoverlay: Set a black screen overlay to disguise malicious activities.
4. Take_scr: Capture screenshots from the infected device.
5. Update_sec: Update user secrets.

The ability to set a black screen overlay is particularly noteworthy. This feature allows attackers to make the device appear locked or turned off, masking any malicious operations happening in the background. The screenshot capture feature enables attackers to steal sensitive information directly from the user's device without needing additional permissions.

The new Medusa variants also continue to leverage traditional malware capabilities, such as reading SMS messages, logging keystrokes, recording calls, sharing the device screen in real-time, and performing unauthorized fund transfers using overlay attacks to steal banking credentials. These comprehensive features make Medusa a powerful tool for cybercriminals, capable of executing a wide range of malicious activities with minimal risk of detection.

Distribution methods and targeted countries

Medusa is distributed through various methods, including phishing (smishing) and dropper applications. These droppers have been disguised as fake Chrome browsers, 5G connectivity apps, and streaming apps like 4K Sports. Despite not being found on the Google Play Store, Medusa still manages to reach a wide audience through dedicated websites, social media channels, and other means.

The recent campaigns, tracked since May 2024, involve five different botnets: UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY. Each botnet targets specific geographical regions, with countries like France, Italy, Spain, the UK, Canada, the US, and Turkey being the primary victims.^[3] This targeted approach increases the efficiency of Medusa's attacks and maximizes the potential for financial gain.

Medusa malware will no doubt return with new variants

The Medusa malware operation appears to be growing more sophisticated and stealthy over time. Researchers observed that the latest version reduces the number of permissions requested, enhancing its ability to evade detection. This evolution suggests that the developers are continually refining Medusa to stay ahead of security measures and expand its reach.

Cleafy's analysis revealed that Medusa's central infrastructure dynamically fetches URLs for command and control servers from public social media profiles. This innovative approach allows threat actors to maintain control over infected devices and exfiltrate data without easily being traced. As Medusa continues to evolve, it poses an increasing threat to Android users worldwide.