The updated Medusa Android banking trojan has become more dangerous

After about a year of silence, the Medusa Android banking trojan has resurfaced, Cleafy Threat Intelligence reported. The newly discovered campaigns target users in Canada, France, Italy, Spain, Turkey, the UK and the US. Attackers use smaller versions of the malware, which allows them to operate more stealthily.

Medusa, also known as TangleBot, is a banking trojan for Android operating as a Malware-as-a-Service (MaaS). It was first discovered in 2020 and provides attackers with powerful tools to remotely perform unauthorized financial transactions from infected phones. Its features include keystroke recording, screen manipulation, and text message manipulation.

New Medusa campaigns began in May 2024, marking the Trojan’s first activity since July 2023. Unlike other malware with the same name, Medusa is a banking trojan, not a Mirai botnet for DDoS attacks. Updated versions of the Trojan are more compact and require fewer permissions to perform the same malicious actions on infected devices. They also have new features such as overlaying full-screen windows and capturing screenshots, making the Trojan even more powerful and able to initiate fraudulent transactions directly from the device without the user’s knowledge.

Attackers use smishing (SMS phishing) to trick Android users into installing malware. They distribute it through dropper apps, including a fake Chrome browser and a 4K Sports streaming app.

Cleafy Threat Intelligence reports that no Medusa Trojan dropper has been detected in the Google Play Store at this time. This shows that Google’s security measures are working effectively. Users are safe as long as they do not download or install questionable programs from the Internet, especially from links received in messages from unknown numbers. The safest way is to download applications only from official application stores and official websites of companies.