This Android banking trojan is spreading by copying the tactics of another malware menace

Medusa Android malware looks towards FluBot for inspiration - and it could result in what researchers describe as a "critical" threat.
Written by Danny Palmer, Senior Writer

Two powerful forms of Android malware are being spread in attacks that share the same infection tactics and delivery infrastructure.

Detailed by cybersecurity researchers at ThreatFabric, the campaigns involves FluBot malware – also known as Cabassous – and another Android banking trojan, Medusa.

FluBot is one of the most notorious forms of Android malware, which steals passwords, bank details and other sensitive information from infected smartphones.

SEE: A winning strategy for cybersecurity (ZDNet special report)

It also gains access to contact books in order to spread itself to other victims via malicious SMS messages, which are often designed to look like an alert about a missed package delivery. FluBot is so prolific that national cybersecurity agencies have issued warnings about it.

The success of FluBot has also been noticed by other cyber criminals, to the extent that those behind Medusa – which is designed to steal sensitive information via keylogging, taking screenshots and collecting data about how the phone is used – have copied its techniques for spreading their malware.

Medusa campaigns have been seen using the same app names, package names and similar icons used in successful FluBot campaigns, including one that delivers links to malware in messages that claim to come from DHL.

But Medusa campaigns don't just look the same as FluBot attacks – they're also being delivered via the same SMSishing service. The malware isn't new, it first emerged in 2020, but the adoption of new tactics could see Medusa become a common threat for Android users.

"Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns," warn ThreatFabric researchers.

While FluBot malware campaigns tend to be restricted to victims in Europe, Medusa is more widespread. The malware initially started out by focusing on Turkey, but now it's also targeting users in North America and Europe.

"Powered with multiple remote access features, Medusa poses a critical threat to financial organisations in targeted regions," said researchers.

However, the additional spread of Medusa doesn't mean that FluBot is about to become any less of an issue. Researchers note that the creators of FluBot continue to add additional functionality, including the ability to replace or interact with app notifications.

SEE: Linux malware attacks are on the rise, and businesses aren't ready for it

This enables the attackers to manipulate applications, allowing them both to direct users towards apps they want to steal information from, and also take control of messaging apps.

Both Medusa and FluBot remain a threat to Android users but there are steps that can be taken in an effort to avoid becoming a victim.

One of those is that it's unlikely that any company will ask you to download an application from a direct link, so any unexpected text message asking you to download a link should be regarded with caution. As long as users don't click on the links, they'll avoid infection.


Editorial standards