New Android Trojan Variant Targets Banking Users

Cybersecurity researchers at the Cleafy Threat Intelligence team have discovered a new variant of the Medusa banking trojan that has returned to Android devices after evading detection for nearly a year.

It has been spotted in new campaigns to target users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.

Discovered in 2020, Medusa (also known as TangleBot) is a sophisticated malware family with Remote Access Trojan (RAT) capabilities.

It has now re-emerged with significant changes, including keylogging, screen controls, and the ability to read and write SMS messages.

Those capabilities enable threat actors (TAs) to perform one of the riskiest forms of banking fraud: On-Device Fraud (ODF).

Cleafy’s Threat Intelligence team discovered the new variant of the Medusa banking trojan while monitoring fraud campaigns in late May 2024.

They observed a surge in installations of a previously unknown app called “4K Sports,” which exhibited characteristics that didn’t perfectly align with known malware families.

Recent findings show some discrepancies between new Medusa samples and the previously known ones, including a lightweight permission set and new features, such as the ability to display full-screen overlay displays and remote application uninstallation.

Initially targeting Turkish financial institutions, Medusa quickly expanded its scope by 2022, launching major campaigns in North America and Europe. Its RAT capabilities allow threat actors to completely control compromised devices using VNC for real-time screen sharing and accessibility services.

This facilitates dangerous attacks like account takeover (ATO) and automatic transfer system (ATS) fraud.

“This RAT (Remote Access Trojan) grants TAs complete control of compromised devices by exploiting VNC for real-time screen sharing and accessibility services for interaction. These capabilities provide TAs the ability to perform On-Device Fraud (ODF),” cybersecurity firm Cleafy researchers said in an analysis published last week.

“ODF is one of the most dangerous types of banking fraud since wire transfers are initiated from the victim’s device and can be adapted for manual or automatic approaches, such as Account Takeover (ATO) or Automatic Transfer System (ATS).”

Cleafy has identified five different botnets operated by several affiliates, each demonstrating separate characteristics regarding geographical targeting and decoy used. In addition to Turkey and Spain, the new targets now also include France and Italy.

The researchers also observed an apparent shift in the distribution strategy among the detected campaigns, with threat actors experimenting with “droppers” to distribute malware via fake update procedures.

The malware coordinates its functionalities through a Web Secure Socket connection to the threat actor’s infrastructure, dynamically fetching the command-and-control (C2) server URL from public social media profiles like Telegram, Twitter, and ICQ for enhanced obfuscation.

This dynamic retrieval increases its resilience against takedown attempts and employs backup channels on these social media platforms for further redundancy.

The latest Medusa variant displays a strategic shift towards a lightweight approach, which minimizes the required permissions and evades detection, enhancing its ability to operate undetected for extended periods.

“The combination of reduced permissions, geographical diversification, and sophisticated distribution methods underscores Medusa’s evolving nature.

As the TAs refine their tactics, cyber-security experts and anti-fraud analysts must stay vigilant and adapt their defences to counter these emerging threats,” the researchers concluded.

Subscribe to our newsletter

To be updated with all the latest news

Kavita Iyer
Kavita Iyerhttps://www.techworm.net
An individual, optimist, homemaker, foodie, a die hard cricket fan and most importantly one who believes in Being Human!!!

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Subscribe to our newsletter

To be updated with all the latest news

Read More

Suggested Post