New Medusa malware variants goal Android customers in seven international locations


New Medusa malware variants target Android users in seven countries

The Medusa banking trojan for Android has re-emerged after nearly a 12 months of protecting a decrease profile in campaigns concentrating on France, Italy, the US, Canada, Spain, the UK, and Turkey.

The brand new exercise has been tracked since Could and depends on extra compact variants that require fewer permissions and include recent options in an try and provoke transactions instantly from the compromised machine

Also referred to as TangleBot, Medusa banking trojan is an Android malware-as-a-service (MaaS) operation found in 2020. The malware supplies keylogging, display screen controls, and SMS manipulation.

Though it has the identical identify, the operation is completely different from the ransomware gang and the Mirai-based botnet for distributed denial-of-service (DDoS) assaults.

The latest campaigns had been found by the menace intelligence workforce at on-line fraud administration firm Cleafy, who says that the malware variants are lighter, want fewer persmissions on the machine, and embrace full-screen overlaying and screenshot capturing.

Newest campaigns

The primary proof of the latest Medusa variants is from July 2023, the researchers say. Cleafy noticed them in campaigns that depend on SMS phishing (‘smishing’) to side-load the malware by way of dropper purposes.

The researchers found 24 campaigns utilizing the malware and attributed them to 5 separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY) that delivered malicious apps.

The UNKN botnet is operated by a definite cluster of menace actors, which focus on concentrating on international locations in Europe, notably France, Italy, Spain, and the UK.

Overview of Medusa botnets and clusters
Overview of Medusa botnets and clusters
Supply: Cleafy

Latest dropper apps utilized in these assaults embrace a faux Chrome browser, a 5G connectivity app, and a faux streaming app referred to as 4K Sports activities.

Provided that the UEFA EURO 2024 champhionship is presently underway, the selection of the 4K Sports activities streaming app as a bait appears well timed.

Cleafy feedback that each one campaigns and botnets are dealt with by Medusa’s central infrastructure, which dynamically fetches the URLs for the command and management (C2) server from public social media profiles.

Retrieving C2 addresses from covert channels
Retrieving C2 addresses from covert channels
Supply: Cleafy

New Medusa variant

The authors of the Medusa malware have opted to scale back its footprint on compromised gadgets, now requesting solely a small set of permissions however nonetheless require Android’s Accessibility Providers.

Additionally, the malware retains its functionality to entry the sufferer’s contact listing and ship SMS, a key distribution technique.

Comparison of requested permissions
Comparability of requested permissions
Supply: Cleafy

Cleafy’s evaluation exhibits that the malware authors eliminated 17 instructions from the earlier model of the malware and added 5 new ones:

  • destroyo: uninstall a particular utility
  • permdrawover: request ‘Drawing Over’ permission
  • setoverlay: set a black display screen overlay
  • take_scr: take a screenshot
  • update_sec: replace person secret

The ‘setoverlay’ command is noteworthy because it permits distant attackers to carry out misleading actions corresponding to making the machine seem locked/shut off to masks malicious ODF actions occurring within the background.

Black screen overlay in action
Black display screen overlay in motion
Supply: Cleafy

The brand new functionality to seize screenshots can also be an necessary addition, giving menace actors a brand new solution to steal delicate info from contaminated gadgets.

General, the Medusa cell banking trojan operation seems to broaden its concentrating on scope and be getting stealthier, laying the bottom for extra large deployment and better variety of sufferer counts.

Though Cleafy has not noticed any of the dropper apps on Google Play but, because the variety of cybercriminals becoming a member of the MaaS will increase, distribution methods are sure to diversify and turn out to be extra subtle.