Android banking trojan evolves to evade detection and strike globally

Android banking trojan evolves to evade detection and strike globally

The Medusa banking trojan is back and more dangerous than ever

by Kurt Knutsson

Android banking trojan Medusa has returned after almost a year-long hiatus and is now even more dangerous. The new variant of the trojan is lightweight and requests fewer device permissions to avoid detection.

First identified in 2020, Medusa is a Turkish-linked banking trojan that initially targeted Turkish financial institutions. It expanded rapidly by 2022, launching major campaigns in North America and Europe, causing significant monetary harm. Medusa’s new variant is now targeting Android users across the globe, including those located in the US, Canada, Spain, France, Italy, the UK, and Turkey.

 

How does the Medusa Android trojan evade detection?

Since July 2023, Medusa attacks are back with a new version. Cybersecurity experts from Cleafy found a spike in the number of installs of an app called “4K Sports.” This app is being used by hackers to put malware on people’s Android phones. The new malware is an upgraded Medusa with big changes in how it works.

It asks for fewer permissions, making it sneakier. It still requests Accessibility Services, which is a big red flag. Android’s Accessibility Service is a powerful tool that helps people with disabilities use mobile devices more easily. When you grant an app Accessibility permissions, you’re essentially giving it the ability to do whatever it wants on your phone.

Cybercriminals are aware of this, so most malware that infects your phone will ask for Accessibility permissions. You should be immediately suspicious when an app requests permissions in this area. Medusa’s new variant also requests Broadcasting SMS, Internet Foreground Service, and Package Management permissions.

The Android trojan now has 17 fewer commands than before but adds five new ones, like setting a black screen overlay, taking screenshots, and more.

Cleafy reveals that hackers are using not only the 4K Sports app to install Medusa but also fake apps like Google Chrome, InatTV, Purolator, and 5G. In the US, Chrome, InatTV, and Purolator are the main apps being misused by these hackers.

A person using smartphone

BEST ANTIVIRUS FOR ANDROIDS – CYBERGUY PICKS 2024

 

What is the scale of the Medusa cyberattack?

Medusa is going after people all over the world, including the US and Europe. Cleafy found two different Medusa botnet groups, each working in its own way.

The first group, with botnets named AFETZEDE, ANAKONDA, PEMBE, and TONY, mainly targets people in Turkey but also hits Canada and the US. They use Medusa’s usual tricks, like phishing, to spread the malware.

The second group, including the UNKN botnet, shows a change in Medusa’s strategy. It mainly targets European users, especially in Italy and France. Unlike the usual variants, some of these new ones were installed through apps downloaded from untrusted sources. This means the hackers are trying new ways to spread the malware beyond the usual phishing tactics.

A person using computer

 

ANDROID BANKING TROJAN MASQUERADES AS GOOGLE PLAY TO STEAL YOUR DATA

 

10 ways you can protect yourself from the Android banking trojan

While a trojan is hard to detect and can be dangerous once it enters your phone, there are several things you can do to protect your data.

1) Be cautious of phishing attempts: Be vigilant about emails, phone calls, or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request.

2) Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but it’s not enough to stop all malicious software. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams.

My top pick is TotalAV, and you can get a limited-time CyberGuy readers: $19 your first year (80% off) for the TotalAV Antivirus Pro package.  

Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android & iOS devices.

Best Antivirus Protection 2024

3) Download apps from reliable sources: It’s important to download apps only from trusted sources like the Google Play Store. They have strict checks to prevent malware and other harmful software. Avoid downloading apps from unknown websites or unofficial stores, as they can pose a higher risk to your personal data and device.

4) Use an identity theft protection service: Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number, and email address and alert you if it is being sold on the dark web or being used to open an account.  They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals.

My top recommendation is Identity Guard. One of the best parts of using Identity Guard is that they might include identity theft insurance of up to 1 million dollars to cover losses and legal fees and a white glove fraud resolution team where a US-based case manager helps you recover any losses.

CyberGuy’s Exclusive Offer: Get the Identity Guard Ultra protection to protect your identity and credit through tax season and beyond for as little as $9.99/mo (lowest offered anywhere) for the first year. 

See my tips and best picks on how to protect yourself from identity theft.

Best identity theft protection services 2024

5) Monitor your accounts: If you think you have been affected by the banking trojan, regularly review your bank statements, credit card statements, and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.

6) Enable SMS notifications for your bank accounts: By enabling SMS notifications, you can monitor your accounts for any unauthorized transactions.

7) Set up two-factor authentication (2FA)2FA is an extra shield that prevents hackers from accessing your accounts.

8) Use a password manager: A password manager can help you create and store strong, unique passwords for all your accounts, reducing the risk of password theft.

9) Regularly update your device’s operating system and apps: Keeping your software up to date is crucial, as updates often include security patches for newly discovered vulnerabilities that could be exploited by trojans.

10) Be wary of granting permissions: Carefully review the permissions requested by apps. If an app asks for more access than it needs for its functionality, it could be a red flag.

 

ANDROID USERS AT RISK AS BANKING TROJAN TARGETS MORE APPS

 

Kurt’s key takeaways

Hackers behind Medusa have made the malware hard to detect. They use apps that look legitimate to get the malware onto your phone and steal your personal data and sometimes your money. As a rule of thumb, only download apps from the Google Play Store. Google ensures it only allows secure apps on its platform and is safer than any other app store.

What are your thoughts on the increasing sophistication of mobile malware like the Medusa trojan, and how do you think the cybersecurity industry should respond? Let us know in the comments below. 

FOR MORE OF MY SECURITY ALERTS, SUBSCRIBE TO MY FREE CYBERGUY REPORT NEWSLETTER HERE

 

 

Copyright 2024 CyberGuy.com.  All rights reserved.  CyberGuy.com articles and content may contain affiliate links that earn a commission when purchases are made.


   

Leave a Comment

GET MY FREE CYBERGUY REPORT
Subscribe to receive my latest Tech news, security alerts, tips and deals newsletter. (We won't spam or share your email with anyone else.)

By signing up, you agree to our Terms of Service and Privacy Policy. You may unsubscribe at any time.

Tips to avoid our newsletters going to your junk folder