Medusa Returns To Target Android Devices

A banking trojan first discovered in 2020 has made a comeback, according to threat intelligence firm Cleafy. Called Medusa, not to be confused by the ransomware gang or the botnet going by the same name, the malware targets Android devices and is offered as a Malware-as-a-Service to other threat actors for a fee.

In the most recent campaign discovered by security researchers, a new version of Medusa is being used to target Android users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.

Medusa Returns To Target Android Devices

In providing a brief historical overview of Medusa, Cleafy researchers noted,

First identified in 2020, the Turkish-linked Medusa banking Trojan has grown on the world stage to become a significant threat. Initially targeting Turkish financial institutions, Medusa's scope expanded rapidly by 2022, launching major campaigns in North America and Europe…This RAT (Remote Access Trojan) grants TAs [Threat Actors] complete control of compromised devices by exploiting VNC for real-time screen sharing and accessibility services for interaction. These capabilities provide TAs the ability to perform On-Device Fraud (ODF). ODF is one of the most dangerous types of banking fraud since wire transfers are initiated from the victim’s device and can be adapted for manual or automatic approaches, such as Account Takeover (ATO) or Automatic Transfer System (ATS).

The most recent campaign discovered by researchers appears to have begun in July 2023 and was found in May 2024. While deploying a newer malware variant, some hallmarks of Medusa have remained the same, namely the high degree of adaptability threat actors display and how the backend is configured to support multiple different botnets.

In the most recent campaign, five different botnets were used in attacks, along with differing phishing decoys, distributional strategies, and geographical targets.

The newer variant uses two botnet clusters to carry out different operational goals. These clusters are, as discovered by Cleafy:

  • Cluster 1 (AFETZEDE, ANAKONDA, PEMBE, TONY): these botnets primarily targeted users in Turkey, with some campaigns extending to Canada and the United States. They follow Medusa's traditional modus operandi, relying on methods like phishing campaigns to spread the malware. Interestingly, these variants often shared decoys, C2 servers, and campaign names, suggesting a potential connection to the same threat actors.
  • Cluster 2 (UNKN): this botnet marks a shift in Medusa's operational strategy. It mainly targets European users, with specific campaigns focusing on Italy and France. Unlike traditional variants, some instances of the innovative cluster were installed via droppers downloaded from untrusted sources. This suggests the threat actors behind this botnet are experimenting with novel distribution methods beyond traditional phishing tactics.

Perhaps the biggest evolution researchers see in the new variant is using a lightweight permission set. Mobile phone apps use permissions to grant specific levels of access to the device.

Android malware is often reliant on modifying permissions so that privileged access can be granted to the threat actor. This drastic reduction in the number of permissions within the set helps prevent detection and analysis. Further, the activity resulting from the lightweight permission set can bypass automated security detection.

Earlier versions of Medusa would modify permissions for the following Android features:

  • Camera and Microphone
  • GPS Location
  • Phone Call
  • Read and Send SMS
  • Read Contacts
  • Read Phone State
  • Write Settings

The newer version now modifies only the following to carry out the same tasks:

  • Accessibility Services
  • Broadcast SMS
  • Internet
  • Foreground Service
  • Query and Delete Packages

Improved Capabilities

When malware executes activities associated with banking trojans, like fraudulent wire transfers, commands need to be issued. Again, the total number of commands has been significantly reduced, in some cases up to 17 fewer commands. This is done again for stealth, like with the modification of permissions.

The removal of certain commands and their associated functions reflects a deliberate effort by the threat actors to streamline Medusa's operations. By focusing on essential and more impactful features, they can ensure the malware remains effective while evading detection.

This approach further solidifies the malware's robustness and adaptability. By being able to carry out an admittedly reduced set of instructions, it does so with a greater chance of remaining undetected, improving the malware's capabilities. Researchers provided an example of this, stating,

In particular, commands like “set overlay” emphasize controlling the victim's device screen, facilitating more sophisticated phishing and social engineering attacks. This command allows the malware to display a black screen overlay on the victim's device. While the exact purpose remains under investigation, this functionality presents a potential threat: by obscuring the underlying screen content, the attacker can use this overlay to mask other malicious activities.

The threat posed by this new version of Medusa is increased not only by the adoption of lightweight permission and command sets but also by the expansion of the attack surface.

Previously, Medusa threat actors had not targeted users in France or Italy. With this latest campaign, that has changed, and it shows the threat actor's capability in making the malware a scarier prospect and in the tactics employed.

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal