Cleafy, a Milanese company specializing in the fight against online fraud, has discovered new traces of Medusa, a fearsome banking Trojan targeting Android smartphones. As Cleafy’s investigation explains, the appearance of Medusa dates back to 2020. That year, the malware was offered by subscription through a “Malware-as-a-Service” (MaaS) offering. This type of offer allows cybercriminals to rent access to malware for a fee.
Also known as Tanglebot, the virus has remained inactive since last summer. It is now making a comeback with increasing attacks in countries such as France, Italy, the United States, Canada, Spain, the United Kingdom and Turkey. This is the first time Medusa has been identified in attacks in France and Italy, the report said.
Also read: More than 50% of Android smartphones are threatened by Rafel RAT malware
A new stealthy version of Medusa
Cleafy researchers explain that they found “new fraud campaigns involving the Trojan horse” Medusa in May 2024. The virus was involved in 24 different campaigns relying on SMS phishing attacks. These operations consisted of spread malicious applications through fraudulent messages. The applications contained dropper malware. These software are only designed to install other viruses on victims’ smartphones. At the end of the operation, Medusa was installed on the device.
Selon Cleafy, le malware a significantly evolved since his last feats of arms. Experts have observed “significant changes” in the functioning of the virus. The arrival of “new affiliates” using the software “likely pushed developers to create less detectable variants, potentially to test their reliability in previously unexplored geographic regions”. This is why Medusa calls for much less Android permissions when installed only in 2023. This precaution allows hackers to fly under the radar. However, the Trojan still requires access to Android accessibility services. These settings are designed to assist visually impaired people in using their device. However, many applications take advantage of this to steal user data. Furthermore, Medusa still requests access to the directory and SMS messages.
“By reducing the number of permissions, the malware becomes less visible during initial scanning, potentially bypassing automated security checks and manual inspections”explains Cleafy.
The malware now has new features, such as the ability to take screenshots without the user’s knowledge or to superimpose a dummy window on top of an application. These tactics are part of the classic banking Trojan arsenal. Once infiltrated on the targets’ phone, Medusa will do everything to seize the bank details. With this information, hackers can then enter your account to rob you.
France in the viewfinder
To distribute the fraudulent SMS messages at the origin of the cyberattack, the cybercriminals relied on a total of cinq botnets. After investigation, Cleafy realized that the attacks targeting France were orchestrated by and the UNKN botnet. Hackers have apparently developed “specific campaigns”to trap the French. This botnet is operated by a gang of hackers who mainly target European countries, especially France, Italy, Spain and the United Kingdom. The arrival of Medusa in France comes at a time when the country is already experiencing a continuing wave of cyberattacks.
To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Cleafy
