HQ/EMEAFind out how we can help your business
The new Medusa banking malware for Android has reemerged after a hiatus that nearly reached a year. The malware has new variants targeting countries such as Canada, the United States, the United Kingdom, Spain, France, Italy, and Turkey.
The new activity has been tracked since last month and depends on more compact variations that require fewer permissions and come with additional features. These new strains try to conduct transactions straight from the compromised device.
The first sighting of the new Medusa banking malware variant appeared in the same month last year.
Research suggests that the earliest indication of the latest Medusa banking malware variants dates back to July last year. Moreover, the researchers revealed these variants in campaigns that use SMS phishing (smishing) to side-load malware via dropper programs.
These researchers have detected 24 campaigns using the new variants and traced them back to five different botnets that distributed malicious programs.
One of these botnets is called UNKN, operated by a different group of threat actors who notoriously target European countries, including the UK, Spain, France, and Italy. In addition, the campaigns used dropper programs that leverage the Chrome browser, a 5G connectivity software, and a fake streaming app called 4K Sports.
Furthermore, the researchers claimed that Medusa’s core infrastructure handles all campaigns and botnets, dynamically retrieving URLs for the C2 server from public social media profiles.
The creators of the Medusa malware have chosen to lessen its trace on compromised devices, demanding only a limited set of permissions but still requiring Android’s Accessibility Services. Additionally, the malware retains the capacity to access the victim’s contact list and send SMS.
However, a recent study reveals that the malware developers removed 17 commands from the previous version of the infection and introduced five new ones. One of the latest commands identified is the ‘setoverlay’ command, which can allow remote attackers to take misleading operations such as making the device appear locked to hide malicious ODF activity running in the background.
The malware authors also added the ability to capture screenshots in the new variants. This feature is a significant improvement, allowing malware operators to steal critical data from infected devices.
The new Medusa mobile banking trojan campaign has broadened its targeting reach and become stealthier, which the developers could capitalise on to execute a much larger cybercriminal campaign targeting more victims.
