The updated Medusa trojan has reappeared in several countries and has become more dangerous and stealthy
After a lull of about a year, the Medusa banking Trojan for Android has reappeared on the radar of security researchers. Cleafy Threat Intelligence found fresh campaigns targeting users in Canada, France, Italy, Spain, Turkey, the UK and the US. The attackers are using smaller variants of the malware, allowing them to operate more stealthily.
Here's What We Know
Medusa, also known as TangleBot, is an Android banking Trojan that operates as a malware delivery service (MaaS). It was discovered in 2020 and provides attackers with powerful tools to remotely initiate unauthorised financial transactions from infected phones. Its features include recording keystrokes, screen controls and text message manipulation.
The new Medusa campaigns began in May 2024. This is the trojan's first activity since July 2023. Unlike other malware with the same name, Medusa is a banking trojan and not a Mirai botnet for DDoS attacks. The updated variants of the trojan are more compact and require fewer permissions to perform the same malicious actions on infected Android devices. They also have new features such as full-screen window overlay and screenshot capture, making the trojan even more powerful. It can initiate fraudulent transactions directly from the device without the user's knowledge.
Attackers use smishing (SMS phishing) to trick Android users into installing malware. They spread it via dropper apps, including a fake Chrome browser and a 4K Sports streaming app.
Cleafy Threat Intelligence has reportedly not detected any Trojan Medusa virus dropper apps in the Google Play Store at this time. Google's security measures seem to be doing their job effectively. This means you're safe as long as you don't download or install dodgy apps from the internet, especially from links received in messages from unknown numbers. It is safest to download apps only from official app shops and official company websites.
Source: Cleafy
