Verticals Targeted: Financial
Executive Summary
A new variant of the Android banking trojan Medusa was recently discovered. This variant boasts a smaller footprint, needs fewer device permissions, and has full-screen overlay capabilities.
Key Takeaways
- A new variant of the Android banking trojan Medusa was recently discovered.
- This new variant was observed in May and targeted entities in France, Italy, US, Canada, Spain, UK, and Turkey.
- Compared to older variants, the new variant has a smaller footprint, needs fewer device permissions, and has full screen overlay capabilities.
- The option to set a black screen overlay is particularly nefarious, as it makes the device appear to be locked or off in an attempt to mask malicious on-device fraud activity.
What is Medusa?
A new variant of the Android banking trojan Medusa was recently discovered. This new variant was observed in May and targeted entities in France, Italy, US, Canada, Spain, UK, and Turkey. Cleafy reported on this new variant.
Medusa, also known as TangleBot, is an Android malware as a service (MaaS). The malware, which is thought to be of Turkish origin, has been active since at least 2020. Medusa has several features including keylogging, screen controls, and SMS manipulation. The new variant has likely been in the wild since July 2023.
Compared to older variants, the new variant has a smaller footprint, needs fewer device permissions, and has full screen overlay capabilities. While seventeen old commands have been removed, five new ones have been added. These include commands used to uninstall specific applications, request “Drawing Over” permission, set a black screen overlay, take a screenshot, and update the user secret. The option to set a black screen overlay is particularly nefarious, as it makes the device appear to be locked or off in an attempt to mask malicious on-device fraud activity.
At least 24 different campaigns have been observed using this malware. Botnets observed delivering Medusa include UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY. Cleafy noted there was evidence of threat actors using smishing attacks to sideload the malware via dropper applications. Dropper apps used include a fake Chrome browser, a 5G connectivity app, and a fake sports streaming app called 4K Sports. The 4K Sports app is likely being used to bait sports fans interested in the UEFA EURO 2024 championship. At present, no trojanized apps delivering the new Medusa variant have been observed on the Google Play store.
IOCs
PolySwarm has multiple samples associated with this activity.
31c3ab369dde010911618deae72a63b85f60f684b155d807795025b412e2f033
6bc37403946c6c0b22efe6030a1cce0bcae1c7e59a6776702801b2b3ce88d843
E7cdbdedcfc13aa752bfc6ec3f531de332e80dcbeb525bbd5beca028b133631d
24298685c619fefaae3dee45b139591e82aa7e85b6509699cf58d6cfc38502e5
Facefacefff08eee8e6b00169cfc2167c983d01875b0d6db73b1dc7daf967833
80c850c0f57bb866a99635ab8b15f87a0c99e99667dbc9d0d5f244a87383af3b
A2c2874cac9dffa7451be8b25a33e93ab55be825c7bc65ac98c9103d743e890a
17abb4094366eea7c72cba4cef10c7494d7b2e57c5e591176edbd93d9ad34757
159c4bba80fcb46588ac224bc1a6dd81d776309b74f00a63fe35321f40617750
You can use the following CLI command to search for all Medusa samples in our portal:
$ polyswarm link list -f Medusa
Don’t have a PolySwarm account? Go here to sign up for a free Community plan or subscribe.
Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports.