Researchers have detected an updated version of the Medusa Android banking trojan, known for targeting users in several countries including Canada, France, Italy, Spain, Turkey, the U.K., and the U.S. This new iteration, active since July 2023 and recently observed in May 2024, utilizes five distinct botnets operated by various affiliates, according to cybersecurity firm Cleafy. The latest Medusa samples boast reduced permissions and enhanced functionalities such as full-screen overlays and remote uninstallation capabilities, as highlighted by security analysts Simone Mattia and Federico Valentini.
Originally discovered in July 2020 targeting financial institutions in Turkey, Medusa, or TangleBot, is a sophisticated malware that can intercept SMS messages, capture keystrokes, take screenshots, record calls, and perform overlay attacks to steal banking credentials and conduct unauthorized fund transfers. Recent developments show Medusa evolving its distribution tactics, including the use of dropper apps disguised as fake updates and leveraging legitimate services like Telegram for command-and-control (C2) communication.
The trojan’s adaptation includes strategies to minimize permissions sought during installation, thereby reducing the likelihood of detection while maintaining access to Android’s accessibility services API for stealthy permission escalation. Moreover, Medusa has implemented a black screen overlay feature to deceive victims into believing their device is inactive or powered off, concealing malicious activities. As Medusa expands into new regions like Italy and France, cybersecurity experts warn of its increasingly sophisticated methods to evade detection and broaden its victim base, underscoring the persistent threat posed by mobile banking trojans.
Reference:
