Have you run out of problems? Google is winding down its reward program for finding vulnerabilities in Android applications

Google has announced the end of the Google Play Security Reward Program (GPSRP), launched in 2017 to reward security researchers for identifying and responsibly disclosing vulnerabilities in popular Android applications.

The program was aimed at improving the security of apps on the Google Play Store and provided financial rewards to researchers for discovering serious vulnerabilities such as remote code execution and theft of sensitive data. During the GPSRP’s existence, significant sums were paid for such finds.

Since its launch, the program has expanded its coverage to include developers of leading apps such as Amazon, Facebook, Snapchat, Spotify, Telegram, Tesla and TikTok. In 2019, the GPSRP began to cover all applications with more than 100 million installations, and maximum payouts for discovered vulnerabilities reached $20,000.

However, Google decided to end the program due to a decrease in the number of vulnerabilities reported by researchers. This is due to the general improvement of the security of the Android operating system and the strengthening of the functionality of applications. The program will cease to exist on August 31, 2024 and all reports submitted before that date will be considered until September 15.

After about a year of silence, the Medusa banking Trojan for Android is back activated, as reported by Cleafy Threat Intelligence. The newly discovered campaigns target users in Canada, France, Italy, Spain, Turkey, the UK and the US. Attackers use smaller versions of the malware, which allows them to operate more stealthily.

Medusa, also known as TangleBot, is a banking Trojan for Android that operates as a Malware-as-a-Service (MaaS). It was first discovered in 2020 and provides attackers with powerful tools to remotely perform unauthorized financial transactions from infected phones. Its features include keystroke recording, screen manipulation, and text message manipulation.

New Medusa campaigns began in May 2024, marking the Trojan’s first activity since July 2023. Unlike other malware with the same name, Medusa is a banking trojan, not a Mirai botnet for DDoS attacks. Updated versions of the Trojan are more compact and require fewer permissions to perform the same malicious actions on infected devices. They also have new features such as overlaying full-screen windows and capturing screenshots, making the Trojan even more powerful and able to initiate fraudulent transactions directly from the device without the user’s knowledge.

Attackers use smishing (SMS phishing) to trick Android users into installing malware. They distribute it through dropper apps, including a fake Chrome browser and a 4K Sports streaming app.

Cleafy Threat Intelligence reports that no Medusa Trojan dropper has been detected in the Google Play Store at this time. This shows that Google’s security measures are working effectively. Users are safe as long as they do not download or install questionable programs from the Internet, especially from links received in messages from unknown numbers. The safest way is to download applications only from official application stores and official websites of companies.