The Medusa banking trojan, also known as TangleBot, has returned to life after over a year of hibernation, posing a serious threat to Android users everywhere. The malware, which is also known as TangleBot, targets users in the United States, France, Italy, Canada, Spain, the United Kingdom, and Turkey. Since May, security researchers have noticed a revival of the virus, noting notable modifications to its functionality and means of spread. 

Streamlined and Stealthier Malware

The new version of Medusa is a more compact and efficient variant that requires fewer permissions while still performing its malicious activities. Researchers from the online fraud management company Cleafy have noted that this streamlined version retains access to contacts, sends SMS messages, captures screenshots, and places deceptive overlays on the screen. These overlays can make the device appear locked or shut off, masking the malware's activities running in the background. 

Medusa's latest campaigns have leveraged various dropper apps to infiltrate devices. These include a fake Chrome browser, a 5G connectivity app, and a streaming app called 4K Sports, which has been particularly timely given the ongoing UEFA EURO 2024 championship. These malicious apps have been distributed through smishing (SMS phishing) campaigns and other third-party sources, not the Google Play Store. 

Medusa operates as an Android Malware-as-a-Service (MaaS), allowing cybercriminals to pay for access to the trojan. This model has led to a more extensive and sophisticated network of threat actors. Cleafy's research identified 24 campaigns attributed to five botnets: UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, each focusing on different regions, particularly in Europe.

The UNKN botnet, for example, targets France, Italy, Spain, and the UK.

Read Also: Apple Rejects Meta's AI Partnership Proposal Over Privacy Concerns

Evolving Threats and Mitigation Strategies

To enhance its stealth, the developers of Medusa have removed 17 commands from the previous version and added five new ones, including:

• destroyo: Uninstall a specific application.

• permdrawover: Request "Drawing Over" permissions.

• setoverlay: Set a black screen overlay.

• take_scr: Take a screenshot.

• update_sec: Update user secrets.

These changes reduce the malware's footprint while maintaining its malicious capabilities.

Protective Measures

To protect against Medusa and similar threats, Android users are advised to:

1. Avoid Sideloading Apps: Download software only from reputable stores such as the Google Play Store. Avoid any third-party sites at all costs.

2. Use Security Software: To identify and stop malware, install reliable security and antivirus software.

3. Stay Informed and Updated: Update the apps and operating system on the smartphone with the most recent security fixes.

4. Review App Permissions: Examine app permissions carefully and don't allow access that isn't necessary.

5. Monitor Financial Accounts: Check your credit card and bank statements frequently for any fraudulent activities. Call your bank as soon as possible if you suspect any suspicious activities.

Users can drastically lower their chance of contracting the Medusa banking trojan and other viruses by taking these preventative measures.

Related Article: Google Integrates Gemini AI Across Major Platforms Including Gmail, Docs, And Sheets