Medusa, the dreaded Trojan horse, has made a comeback with a new wave of attacks targeting Android smartphone users in France, as well as in several other countries such as the UK, Spain, Italy, Turkey, the USA and Canada. Those who thought their device was safe should brace themselves for a new threat.
Also known as TangleBot, Medusa has evolved to become more sophisticated and stealthy, capable of bypassing advanced security measures and infiltrating devices to steal sensitive information, including access to its victims’ bank accounts. This resurgence marks a significant evolution of the malware, now capable of bypassing the most advanced protections and targeting banking data with frightening precision.
Spotted by Cleafy’s cybersecurity researchers in May 2024, they have just published their detailed report. The Medusa banking trojan was identified in these attacks for the first time in France and Italy.
History of Medusa: birth and evolution
The Medusa Trojan was first identified in 2020, and had already distinguished itself by its ability to target Android devices. Offered on a subscription basis through a “Malware-as-a-Service” (MaaS) offering . This formula, which enables cybercriminals to rent malware to carry out their attacks, has helped to wreak havoc among Android users.
After a short period of inactivity, Medusa returned to the spotlight in 2024, targeting users in France and Italy for the first time, as Cleafy’s report details. This new version of the malware is even more sophisticated and stealthy, using advanced methods to evade detection, putting users’ personal and financial data at risk. As a result, it is becoming essential to update all Android systems and to be particularly vigilant against phishing attempts and app downloads from unverified sources.
How did Medusa spread so rapidly?
In the most conventional way, using advanced phishing techniques. Users were often prompted to download malicious applications that appeared legitimate, enabling the Trojan to infiltrate many devices unnoticed. This ability to mask its intentions made Medusa particularly dangerous and difficult for traditional security systems to detect. Among other things, this malware enables keystrokes to be recorded via a keylogger, screens to be controlled and SMS messages to be manipulated.
SMS phishing campaigns
In May 2024, Cleafy researchers uncovered new sophisticated fraud campaigns using the Medusa malware. According to the detailed study published on their site, these campaigns relied on SMS phishing techniques ((also known as Smishing). These SMS messages are designed to imitate official communications from banks, service providers or other trusted organizations, urging victims to click on fraudulent links. Once the link was clicked, users were redirected to fake websites where they were invited to download supposedly necessary applications. These applications, in reality, contained the Medusa Trojan, which silently installed itself on their devices to steal sensitive data. Cleafy points out that this new Medusa variant is particularly compact and difficult to detect, making these campaigns even more dangerous for Android users in France and wherever the threat is deployed.
Propagation process
- Receipt of fraudulent SMS: a fraudulent message containing a link is sent to the victim.
- Application download: the victim clicks on the link and downloads an infected application.
- Dropper installation: the application installs a“dropper” (injector or “dropper virus”) on the smartphone.
- Medusa installation: the dropper finally installs Medusa on the device.
Malware evolution
Cleafy’s experts have noted significant changes in the way Medusa works. It requires fewer Android permissions than in 2023, making it more difficult to detect. Medusa has been optimized to run more unobtrusively, reducing the number of permissions requested from the user during installation. For example, instead of requesting a large number of permissions at once, it only requires those that are absolutely necessary for its malicious operations, including access to essential services such as accessibility, contacts and messages. Reducing the permissions required also makes the malware more compatible with a wider variety of Android devices, increasing its potential reach.
“By exploiting accessibility services, Medusa extends its functionality beyond simple remote control. This enables the Trojan to automate several functions commonly associated with modern banking Trojans, including continuous key logging and dynamic overlay attacks,” explains the Cleafy Threat Intelligence team.
Reduced permissions and new features
As we have seen, by reducing the number of permissions required, Medusa becomes less visible during initial analysis, and therefore even more dangerous. This new approach enables it to operate with a lighter footprint, making it easier to infiltrate Android devices without arousing suspicion. Access to accessibility services, phonebook and SMS messages are particularly insidious, as they enable Medusa to control the device without the user’s knowledge, executing commands and accessing data without the user noticing.
“Its features include a keylogger, screen controls and the ability to read/write SMS messages. These capabilities enable threat actors to carry out one of the riskiest fraud scenarios:On-Device Fraud (ODF).”
Cleafy Threat Intelligence
These new features are particularly aggressive, as they give hackers access not only to banking credentials, but also to personal information and one-time passwords sent by SMS (OTP), thus rendering two-factor authentication protections inoperative.
To sum up, the new functionalities include screen captures without the user’s knowledge, remote application uninstallation and the superimposition of dummy windows.
Cleafy’s analysis shows that the authors of the malware have lightened the previous version by deleting 17 commands and added five new ones:
- destroyo: uninstall a specific application
- permdrawover: request ‘Drawing Over’ permission
- setoverlay: set a black screen overlay
- take_scr: take a screenshot
- update_sec: update user secret
All these tactics are aimed at stealth access to our personal data. For example, the screenshot functionality allows attackers to monitor and record user activities in real time, including the entry of passwords and other confidential information. According to Cleafy researchers, the“setoverlay” command is remarkable in that it enables attacks to be carried out discreetly. The attacker has the ability to make the device appear to be switched off to mask his malicious activities, which can then take place in the background. This combination of advanced techniques reinforces Medusa’s effectiveness and the danger it represents for Android smartphone users.
Use of 5 botnets
To distribute the fraudulent SMS messages, the cybercriminals relied on five different botnets. Each of them is characterized “by the types of decoys used, the distribution strategy and the geographical targets”, according to the researchers. The analysis revealed the existence of two distinct groups of Medusa botnets, each with different operational characteristics:
Specific features of attacks targeting France
The UNKN botnet, which is part of the second cluster and mainly targets European countries, marks a change in Medusa’s operational strategy. Specific campaigns have been developed to trap the French and Italians. Unlike traditional variants, instances have been installed using “droppers”. The dropper, or injector in French, is sometimes also referred to as a dropper virus, a fraudulent algorithm that acts as a sort of entry point. It facilitates the distribution and installation of various malicious programs, such as ransomware. This small, lightweight software is specifically designed to fool cybersecurity measures. Downloaded from untrusted sources, once installed on the device its viral load can be unleashed with complete discretion. If you’d like to find out more about viral loads, take a look at our article on the subject.
For Cleafy’s cybersecurity experts “this suggests that the TAs behind this botnet are experimenting with new distribution methods beyond traditional phishing tactics.” These campaigns are carefully crafted to exploit users’ cultural, linguistic and behavioral specificities. Messages can be designed to contain relevant contextual information, such as references to national events or local public services, to enhance their credibility.
Finally, 5 basic tips to protect yourself
- Always be wary of suspicious SMS messages: never click on links contained in suspicious SMS messages.
- Use antivirus software: install reliable antivirus software on your smartphone.
- Check the source of applications: only download applications from their original source
- Check application permissions: before installing an application, check the permissions it requires.
- Keep your system up to date: make sure your smartphone has the latest security updates.
Medusa represents a serious threat to Android smartphone users in France and around the world. Its ability to evolve and bypass security systems makes it particularly dangerous. Cleafy has not yet observed the distribution of droppers on the Google Play Store, but the possibility of future deployments through this channel cannot be ruled out, as has already been the case for other malware families. Stay vigilant, protect your devices and beware of suspicious SMS messages.
Sources :
Cleafy study: Medusa reborn: a new compact variant discovered
