Cybersecurity researchers have found an up to date model of an Android banking trojan referred to as Medusa that has been used to focus on customers in Canada, France, Italy, Spain, Turkey, the U.Okay., and the U.S.
The brand new fraud campaigns, noticed in Might 2024 and energetic since July 2023, manifested by 5 completely different botnets operated by varied associates, cybersecurity agency Cleafy mentioned in an evaluation printed final week.
The brand new Medusa samples function a “light-weight permission set and new options, akin to the power to show a full-screen overlay and remotely uninstall purposes,” safety researchers Simone Mattia and Federico Valentini mentioned.
Medusa, often known as TangleBot, is a complicated Android malware first found in July 2020 concentrating on monetary entities in Turkey. It comes with capabilities to learn SMS messages, log keystrokes, seize screenshots, document calls, share the system display screen in real-time, and carry out unauthorized fund transfers utilizing overlay assaults to steal banking credentials.
In February 2022, ThreatFabric uncovered Medusa campaigns leveraging related supply mechanisms as that of FluBot (aka Cabassous) by masquerading the malware as seemingly innocent package deal supply and utility apps. It is suspected that the menace actors behind the Trojan are from Turkey.
Cleafy’s newest evaluation reveals not solely enhancements to the malware, but in addition the usage of dropper apps to disseminate Medusa below the guise of faux updates. Moreover, legit companies like Telegram and X are used as useless drop resolvers to retrieve the command-and-control (C2) server used for knowledge exfiltration.
A notable change is the discount within the variety of permissions sought in an obvious effort to decrease the probabilities of detection. That mentioned, it nonetheless requires Android’s accessibility companies API, which permits it to stealthily allow different permissions as required and keep away from elevating person suspicion.
One other modification is the power to set a black display screen overlay on the sufferer’s system to provide the impression that the system is locked or powered off and use it as a canopy to hold out malicious actions.
Medusa botnet clusters sometimes depend on tried-and-tested approaches akin to phishing to unfold the malware. Nevertheless, newer waves have been noticed propagating it through dropper apps downloaded from untrusted sources, underscoring continued efforts on the a part of menace actors to evolve their techniques.
“Minimizing the required permissions evades detection and seems extra benign, enhancing its skill to function undetected for prolonged intervals,” the researchers mentioned. “Geographically, the malware is increasing into new areas, akin to Italy and France, indicating a deliberate effort to diversify its sufferer pool and broaden its assault floor.”
The event comes as Symantec revealed that fictitious Chrome browser updates for Android are getting used as a lure to drop the Cerberus banking trojan. Comparable campaigns distributing bogus Telegram apps through phony web sites (“telegroms[.]icu”) have additionally been noticed distributing one other Android malware dubbed SpyMax.
As soon as put in, the app prompts the person to allow the accessibility companies, permitting it to assemble keystrokes, exact areas, and even the pace at which the system is transferring. The collected data is then compressed and exported to an encoded C2 server.
“SpyMax is a distant administration software (RAT) that has the aptitude to assemble private/non-public data from the contaminated system with out consent from the person and sends the identical to a distant menace actor,” K7 Safety Labs mentioned. “This permits the menace actors to manage victims’ units that impacts the confidentiality and integrity of the sufferer’s privateness and knowledge.”