The PolySwarm Blog

Analyze suspicious files and URLs, at scale, millions of times per day. Get real-time threat intel from a crowdsourced network of security experts and antivirus companies competing to protect you.

New Medusa Android Banking Trojan Variant Discovered

Jul 1, 2024 1:28:23 PM / by The Hivemind

NEWMEDUSAVerticals Targeted: Financial 

Executive Summary

A new variant of the Android banking trojan Medusa was recently discovered. This variant boasts a smaller footprint, needs fewer device permissions, and has full-screen overlay capabilities.

Key Takeaways

  • A new variant of the Android banking trojan Medusa was recently discovered.
  • This new variant was observed in May and targeted entities in France, Italy, US, Canada, Spain, UK, and Turkey.
  • Compared to older variants, the new variant has a smaller footprint, needs fewer device permissions, and has full screen overlay capabilities. 
  • The option to set a black screen overlay is particularly nefarious, as it makes the device appear to be locked or off in an attempt to mask malicious on-device fraud activity. 

What is Medusa?

A new variant of the Android banking trojan Medusa was recently discovered. This new variant was observed in May and targeted entities in France, Italy, US, Canada, Spain, UK, and Turkey. Cleafy reported on this new variant.

Medusa, also known as TangleBot, is an Android malware as a service (MaaS). The malware, which is thought to be of Turkish origin, has been active since at least 2020. Medusa has several features including keylogging, screen controls, and SMS manipulation. The new variant has likely been in the wild since July 2023.

Compared to older variants, the new variant has a smaller footprint, needs fewer device permissions, and has full screen overlay capabilities. While seventeen old commands have been removed, five new ones have been added. These include commands used to uninstall specific applications, request “Drawing Over” permission, set a black screen overlay, take a screenshot, and update the user secret. The option to set a black screen overlay is particularly nefarious, as it makes the device appear to be locked or off in an attempt to mask malicious on-device fraud activity.

At least 24 different campaigns have been observed using this malware. Botnets observed delivering Medusa include UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY. Cleafy noted there was evidence of threat actors using smishing attacks to sideload the malware via dropper applications. Dropper apps used include a fake Chrome browser, a 5G connectivity app, and a fake sports streaming app called 4K Sports. The 4K Sports app is likely being used to bait sports fans interested in the UEFA EURO 2024 championship. At present, no trojanized apps delivering the new Medusa variant have been observed on the Google Play store.  

IOCs

PolySwarm has multiple samples associated with this activity.

 

31c3ab369dde010911618deae72a63b85f60f684b155d807795025b412e2f033

6bc37403946c6c0b22efe6030a1cce0bcae1c7e59a6776702801b2b3ce88d843

E7cdbdedcfc13aa752bfc6ec3f531de332e80dcbeb525bbd5beca028b133631d

24298685c619fefaae3dee45b139591e82aa7e85b6509699cf58d6cfc38502e5

Facefacefff08eee8e6b00169cfc2167c983d01875b0d6db73b1dc7daf967833

80c850c0f57bb866a99635ab8b15f87a0c99e99667dbc9d0d5f244a87383af3b

A2c2874cac9dffa7451be8b25a33e93ab55be825c7bc65ac98c9103d743e890a

17abb4094366eea7c72cba4cef10c7494d7b2e57c5e591176edbd93d9ad34757

159c4bba80fcb46588ac224bc1a6dd81d776309b74f00a63fe35321f40617750

 

You can use the following CLI command to search for all Medusa samples in our portal:

$ polyswarm link list -f Medusa

 

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.

 

Topics: Threat Bulletin, Banking, Financial, Android, Trojan, Mobile, Medusa, on-device fraud

The Hivemind

Written by The Hivemind

Subscribe to Email Updates

Lists by Topic

see all

Posts by Topic

See all

Recent Posts