Medusa, an Android banking Trojan that had been hidden for about a year, has made a new appearance, experts warn
A new light variant of Medusa has been observed to be used by multiple threat actors and is targeting victims in numerous countries around the world, noted cybersecurity researchers at Cleafy.
In their report, the researchers said they recently observed an increase in installs of a new app called “4K Sports.” Subsequent investigation determined that the application was an evolution of Medusa, with significant changes to its infrastructure and command capabilities.
Expanding goals
Notably, the new variant requests fewer permissions, making it less detectable. You are still requesting accessibility services, which should always be a red flag. Other notable mentions include SMS streaming, Internet Foreground Service, and package management.
In total, 17 commands were removed and five new ones were introduced, including setting a black screen overlay, taking screenshots, and more.
Using the new Medusa, five different botnets were identified, each with unique operational objectives and geographic targets. They are called UNKN, AFETZEDE, ANAKONDA, PEMBE and TONY, and their targets were mainly located in Canada, Spain, France, Italy, the United Kingdom, the United States and Turkey.
To distribute Medusa, botnets will most likely use droppers, the researchers said. However, droppers have not yet been found on the Google Play Store, which significantly reduces their reach. However, dedicated websites, social media channels, phishing, and other methods are still viable and can still generate hundreds of thousands of downloads.
The Medusa banking Trojan, not to be confused with the Mirai-based ransomware or botnet of the same name, is a sophisticated malware designed primarily to attack financial institutions and facilitate banking fraud. It was first identified in 2020 and targeted Turkish financial institutions. By 2022, Medusa had launched major campaigns in North America and Europe.
