Medusa Targets Users in Global Campaign

The notorious Android banking trojan, Medusa, has resurfaced after a period of relative dormancy. Researchers at Cleafy, an online fraud management company, discovered a new variant of the malware targeting users across seven countries, including Canada, France, Italy, Spain, Turkey, the United Kingdom, and the United States.

First identified in 2020, Medusa, also known as TangleBot, has a proven track record of wreaking havoc on Android devices. This sophisticated malware operates as a Malware-as-a-Service (MaaS), meaning its functionalities are rented out to cybercriminals, allowing for a wider reach and diverse attack methods.

The latest iteration of Medusa boasts a "lightweight permission set, " requiring fewer privileges on compromised devices compared to previous versions. This makes it stealthier and potentially harder to detect. However, it retains its core functionalities, including the ability to steal banking credentials through a devious tactic known as overlay attacks.

Here's how it works:When a user attempts to launch a legitimate banking app, Medusa displays a fraudulent overlay window that mimics the real app's login screen. Unsuspecting users, deceived by the near-identical appearance, enter their credentials, which are then siphoned off by the malware.

Medusa's arsenal extends beyond overlay attacks. The malware can also record keystrokes, capture screenshots, and even hijack SMS messages, granting attackers access to two-factor authentication codes used for additional account security.

This ability to bypass multi-layered security measures makes Medusa particularly dangerous. Financial institutions often rely on SMS verification to confirm transactions, and intercepting these codes empowers attackers to gain complete control over victims' accounts.

The recent campaign employed a network of five botnets, each potentially controlled by a different affiliate. This distributed approach makes it more challenging to dismantle the entire operation.

Researchers believe the new features and wider reach signal a resurgence of Medusa as a major threat to Android users. While the technical specifics of the malware remain under wraps to avoid tipping off attackers, security experts urge users to exercise caution and adopt security best practices.