The Medusa banking trojan for Android has re-emerged after virtually a 12 months of preserving a decrease profile in campaigns concentrating on France, Italy, the USA, Canada, Spain, the UK, and Turkey.
The brand new exercise has been tracked since Might and depends on extra compact variants that require fewer permissions and include contemporary options in an try and provoke transactions instantly from the compromised system
Also referred to as TangleBot, Medusa banking trojan is an Android malware-as-a-service (MaaS) operation found in 2020. The malware gives keylogging, display controls, and SMS manipulation.
Though it has the identical identify, the operation is totally different from the ransomware gang and the Mirai-based botnet for distributed denial-of-service (DDoS) assaults.
The current campaigns had been found by the menace intelligence group at on-line fraud administration firm Cleafy, who says that the malware variants are lighter, want fewer persmissions on the system, and embody full-screen overlaying and screenshot capturing.
Newest campaigns
The primary proof of the current Medusa variants is from July 2023, the researchers say. Cleafy noticed them in campaigns that depend on SMS phishing (‘smishing’) to side-load the malware by dropper purposes.
The researchers found 24 campaigns utilizing the malware and attributed them to 5 separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that delivered malicious apps.
The UNKN botnet is operated by a definite cluster of menace actors, which focus on concentrating on international locations in Europe, significantly France, Italy, Spain, and the UK.
Latest dropper apps utilized in these assaults embody a faux Chrome browser, a 5G connectivity app, and a faux streaming app known as 4K Sports activities.
Provided that the UEFA EURO 2024 champhionship is presently underway, the selection of the 4K Sports activities streaming app as a bait appears well timed.
Cleafy feedback that each one campaigns and botnets are dealt with by Medusa’s central infrastructure, which dynamically fetches the URLs for the command and management (C2) server from public social media profiles.
New Medusa variant
The authors of the Medusa malware have opted to cut back its footprint on compromised units, now requesting solely a small set of permissions however nonetheless require Android’s Accessibility Providers.
Additionally, the malware retains its functionality to entry the sufferer’s contact record and ship SMS, a key distribution technique.
Cleafy’s evaluation exhibits that the malware authors eliminated 17 instructions from the earlier model of the malware and added 5 new ones:
- destroyo: uninstall a selected software
- permdrawover: request ‘Drawing Over’ permission
- setoverlay: set a black display overlay
- take_scr: take a screenshot
- update_sec: replace person secret
The ‘setoverlay’ command is noteworthy because it permits distant attackers to carry out misleading actions corresponding to making the system seem locked/shut off to masks malicious ODF actions occurring within the background.
The brand new functionality to seize screenshots can be an essential addition, giving menace actors a brand new method to steal delicate info from contaminated units.
General, the Medusa cell banking trojan operation seems to broaden its concentrating on scope and be getting stealthier, laying the bottom for extra large deployment and better variety of sufferer counts.
Though Cleafy has not noticed any of the dropper apps on Google Play but, because the variety of cybercriminals becoming a member of the MaaS will increase, distribution methods are sure to diversify and grow to be extra subtle.