Medusa Android malware returns to target users around the world — here's how to stay safe

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Medusa, an Android banking trojan that had been laying low for roughly a year now, has made a fresh appearance, experts have warned

A new, lightweight Medusa variant has been seen being used by multiple threat actors, and targeting victims in numerous countries around the world, noted cybersecurity researchers from Cleafy.

In their report, the researchers said they recently observed a surge in installations of a new app called “4K Sports”. Subsequent investigation determined the app to be an evolution of Medusa, with significant changes in its command infrastructure and capabilities.

Expanding targets

Most notably, the new variant requests fewer permissions, making it less detectable. It still asks for Accessibility Services, which should always be a red flag. Other notable mentions include Broadcasting SMS, Internet Foreground Service, and Package Management.

In total, 17 commands were nixed, and five new ones introduced, including setting a black screen overlay, taking screenshots, and more.

Five different botnets, each with unique operational goals and geographical targets, were identified using the new Medusa. These are called UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, and their targets were mostly located in Canada, Spain, France, Italy, the UK, the US, and Turkey.

To distribute Medusa, the botnets are most likely using droppers, the researchers said. However, the droppers have not yet been found on the Google Play Store, which significantly reduces its reach. However, dedicated websites, social media channels, phishing, and other methods, are still viable and can still result in hundreds of thousands of downloads. 

Not to be confused with the ransomware, or the Mirai-based botnet of the same name, the Medusa banking trojan is a sophisticated piece of malware primarily designed to target financial institutions and facilitate banking fraud. It was first identified in 2020, targeting Turkish financial institutions. By 2022, Medusa had launched major campaigns in North America and Europe.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.