New versions of Medusa, an Android banking trojan, have appeared, affecting devices in multiple countries, including the US, the U.K., Canada, France, Italy, Spain, and Turkey. Medusa’s new, more compact versions have upgraded capabilities and command structures and are being used by multiple malicious parties. The malware provides SMS manipulation, keylogging, and screen control capabilities. It also allows threat actors to take screenshots, set overlays, and uninstall apps.
The Medusa banking trojan malware, or TangleBot, primarily targets financial institutions, allowing for easier banking fraud operations. Its first iteration was discovered in 2020, targeting banking institutions in Turkey. Over the next two years, the malware was used to run significant campaigns in North America. It is not to be confused with the botnet or ransomware of the same name.
See More: Compromised WordPress Plugins Enable Creation of Fake Admin Accounts
The newer variants allow malicious actors to commit fraudulent activities directly on compromised smartphones, requiring minimal permissions for installation and execution. The malware is spread through an app called 4K Sports, distributed through five botnets named AFETZEDE, UNKN, PEMBE, ANAKONDA, and TONY, each with its own objectives and geographical targets.
These botnets are suspected of using droppers available on third-party platforms, including social media platforms, websites, and phishing campaigns. This could potentially result in hundreds of thousands of downloads. Android users are urged to verify the sources of their apps and opt for official downloads as far as possible.