Medusa malware ramps up Android SMS phishing attacks
Medusa malware ramps up Android SMS phishing attacks
By Bill Toulas
February 7, 2022 11:38 AM 0
Android malware
The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud.
Today, researchers at ThreatFabric have published a new report detailing the latest tricks employed by the Medusa malware and how it continues to evolve with new features.
Medusa on the rise
Medusa (aka TangleBot) is not a novel banking trojan, but it has seen increased distribution, with campaigns now targeting North America and Europe using the same distribution service as the notorious FluBot malware.
BleepingComputer previously reported that the Medusa and FluBot trojans had previously used 'duckdns.org,' a free dynamic DNS abused as a delivery mechanism, so this is not the first sign of overlap between the two.
In a new report by ThreatFabric, researchers have discovered that MedusaBot is now using the same service as FluBot to perform smishing (SMS phishing) campaigns.
"The samples seen in side-by-side campaigns with Cabassous are identified by the actors themselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding Cabassous/Flubot campaigns)," ThreatFabric explains in their report.
The researchers believe that the Medusa threat actors began using this distribution service after seeing how widely spread and successful FluBot's campaigns had become.
Medusa's main strength lies in its abuse of the Android 'Accessibility' scripting engine, which enables actors to perform various actions as if they were the user.
These actions are:
home_key – Performs HOME global action
ges – Executes a specified gesture on the screen of the device
fid_click – Clicks on the UI element with the specified ID
sleep – Sleeps (waits) for the specified number of microseconds
recent_key – Shows overview of the recent apps
scrshot_key – Performs TAKE_SCREENSHOT global action
notification_key – Opens the active notifications
lock_key – Locks the screen
back_key – Performs BACK global action
text_click – Clicks on the UI element that has specified text displayed
fill_text – Not implemented yet
All in all, it’s a highly capable banking trojan with keylogging features, live audio and video streaming, remote command execution options, and more.
Manual input field changing
Manual input field changing
Source: ThreatFabric
ThreatFabric was able to gain access to the malware's backend administration panel and found that its operators can edit any field on any banking app running on the device. This feature allows the malware to target almost any banking platform with fake phishing login forms to steal credentials.
Source: ThreatFabric
The malware is commonly distributed spoofed DHL or Purolator apps, but the researchers also saw packages masquerading as Android Update, Flash Player, Amazon Locker, and Video Player.
Fake DHL APKs all containing Medusa
Fake DHL APKs containing Medusa or Flubot (Cabassous)
Source: ThreatFabric
These APKs are manually installed by the victims themselves, who receive an SMS message with a URL leading to a site pushing the malicious Android app.
To prevent being infected by these malware infections, always treat strange URLs sent from your contact list as untrustworthy as they may have been sent by malware on the senders' device.
As always, do not, under any circumstance, download APKs from unknown websites, as they invariably lead to malware infections.
By Bill Toulas
February 7, 2022 11:38 AM 0
Android malware
The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud.
Today, researchers at ThreatFabric have published a new report detailing the latest tricks employed by the Medusa malware and how it continues to evolve with new features.
Medusa on the rise
Medusa (aka TangleBot) is not a novel banking trojan, but it has seen increased distribution, with campaigns now targeting North America and Europe using the same distribution service as the notorious FluBot malware.
BleepingComputer previously reported that the Medusa and FluBot trojans had previously used 'duckdns.org,' a free dynamic DNS abused as a delivery mechanism, so this is not the first sign of overlap between the two.
In a new report by ThreatFabric, researchers have discovered that MedusaBot is now using the same service as FluBot to perform smishing (SMS phishing) campaigns.
"The samples seen in side-by-side campaigns with Cabassous are identified by the actors themselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding Cabassous/Flubot campaigns)," ThreatFabric explains in their report.
The researchers believe that the Medusa threat actors began using this distribution service after seeing how widely spread and successful FluBot's campaigns had become.
Medusa's main strength lies in its abuse of the Android 'Accessibility' scripting engine, which enables actors to perform various actions as if they were the user.
These actions are:
home_key – Performs HOME global action
ges – Executes a specified gesture on the screen of the device
fid_click – Clicks on the UI element with the specified ID
sleep – Sleeps (waits) for the specified number of microseconds
recent_key – Shows overview of the recent apps
scrshot_key – Performs TAKE_SCREENSHOT global action
notification_key – Opens the active notifications
lock_key – Locks the screen
back_key – Performs BACK global action
text_click – Clicks on the UI element that has specified text displayed
fill_text – Not implemented yet
All in all, it’s a highly capable banking trojan with keylogging features, live audio and video streaming, remote command execution options, and more.
Manual input field changing
Manual input field changing
Source: ThreatFabric
ThreatFabric was able to gain access to the malware's backend administration panel and found that its operators can edit any field on any banking app running on the device. This feature allows the malware to target almost any banking platform with fake phishing login forms to steal credentials.
Source: ThreatFabric
The malware is commonly distributed spoofed DHL or Purolator apps, but the researchers also saw packages masquerading as Android Update, Flash Player, Amazon Locker, and Video Player.
Fake DHL APKs all containing Medusa
Fake DHL APKs containing Medusa or Flubot (Cabassous)
Source: ThreatFabric
These APKs are manually installed by the victims themselves, who receive an SMS message with a URL leading to a site pushing the malicious Android app.
To prevent being infected by these malware infections, always treat strange URLs sent from your contact list as untrustworthy as they may have been sent by malware on the senders' device.
As always, do not, under any circumstance, download APKs from unknown websites, as they invariably lead to malware infections.