Sinister Medusa Banking Trojan Targeting Android Is Back And More Stealthy

Medusa holding an Androind phone
A nasty banking trojan is taking aim at Android users in the United States and half a dozen other countries. It goes by two names, Medusa and TangleBot, but whatever you want to call it, the cause for concern is that it's a more nimble version that's tougher to detect than the one that wreaked havoc before seemingly going dark a year ago. Its discovery comes on the heels of a RAT-based malware strain call Rafel targeting Android users.

While the Medusa trojan itself had kept a low profile over the past year after first emerging in 2020, the malware's author(s) apparently kept busy updating it to have a smaller footprint with less permissions needed. According to Cleafy, the cybersecurity firm that detected the new variant, the "significant changes" and latest optimizations may be intended to widen the malware's reach to "unexplored geographical regions."

Here's a look at how the permissions from the original and updated campaigns compare to one another...

Permissions comparison from the original and more recent Medusa trojan malware on Android.
Source: Cleafy

"By reducing the number of permissions, the malware becomes less conspicuous during initial analysis, potentially bypassing automated security checks and manual inspections. This stealthier approach can significantly lower detection rates, allowing the malware to persist undetected for extended periods," Cleafy states.

A deep dive into the malware revealed that the author(s) removed no less than 17 commands from the original variant. This is done to make it more difficult to detect the malware and increase its overall stealthiness. At the same time, however, the latest build added five brand new permissions, giving it enhanced capabilities such as being able to take screenshots and uninstall specific applications (security software, presumably).

Another new trick is being able to set a black screen overlay.

"While the exact purpose remains under investigation, this functionality presents a potential threat: by obscuring the underlying screen content, the attacker can use this overlay to mask other malicious activities," Cleafy says.

Despite losing 17 permissions, all of the original variant's capabilities remain intact, alongside several new ones. So in essence, the latest Medusa malware variant is lighter weight, tougher to detect, and more sinister. The silver lining to all this, at least for now, is that there is no evidence to suggest that Medusa has infiltrated any apps in Google's Play Store.

Top image generated with Microsoft Copilot and Photoshop generative fill