Medus Malware now distributed via Flubot Android distribution network

Android banking trojans Flubot and Medusa spreading through the simultaneous attack campaign

Medusa Android trojan on the riseMedusa has multiple botnets for every campaign and now is delivered side-by-side FluBot

Researchers report that the banking trojans are now relying on the same delivery vehicle. The side-by-side infection campaign was facilitated via the SMS phishing infrastructure.[1] These Android infections have been virally spreading for a year now, and the newest addition – Medusa, as other trojans has spyware and RAT capabilities.[2] This means that high-volume campaigns should be expected.[3]

Researchers report this “marriage” and state that powerful mobile trojans can be distributed widely and quickly. In less than a month this approach of spreading the threat resulted in at least 1500 infected devices. In some of the campaigns, the name of the DHL service gets used to trick people into allowing the drop of the malware.

The campaign is still ongoing:

Medusa has multiple botnets for every campaign, such as DHL or Flash Player, so we expect the numbers to be much higher and very close to what we are observing with Cabassous.

Medusa is becoming more active and extremely dangerous

This trojan is also known as TangleBot. The banking malware has been spread more widely, and these campaigns spread around North America, Europe with the help of the distribution service that FluBot malware uses for a while. Samples seen in these side-by-side campaigns show the addition to the network after the success of the Android spyware distribution waves.

Medusa trojan is a dangerous malware due to the Android scripting engine that allows threat actors releasing this virus to achieve various goals and perform different activities on the machines. The threat can:

  • execute gestures on the screen;
  • take screenshots;
  • deliver notifications;
  • lock the screen;
  • open home page;
  • display text;
  • log keystrokes;
  • stream video or audio live from the machine;
  • execute any options.

The threat can edit any fields on the banking application that runs on the machine. This is how trojan can target banking platforms and steal login credentials vis those phishing messages.[4] These campaigns usually use altered DHL or Purolator applications. Some campaigns show the usage of Flash player, Amazon Locker, Video Player too.

The focus of campaigns is expanding

These malware-laced apps were used in these campaigns aiming mainly at users in Turkey. Now the main target becomes Canada and United States. The Cabassous, aka FluBot, also now has the ability to intercept and manipulate notifications from particular applications. Android malware focuses on banking programs and the direct actions on those apps can be leveraged.

The threat can possibly reply to messages, spread phishing links via messaging applications and act more like a worm-type infection.[5] These functions allow attackers to provide responses to those notifications and lead to fraudulent logins to banking apps and transactions on behalf of the victim behind their back.

Unfortunately, the success of these campaigns is admired by other threat creators. Distribution tactics, masquerading techniques, other code features, and distribution service features get adopted by criminals creating similar threats for mobile devices.

The FluBot/ Cabassous is evolving too, and new features make the malware more and more advanced, dangerous, sophisticated. The evolution of such malware shows that the security measures need to also get to the next level. Two-factor-authentication techniques might not be good enough to ensure the transactions on such apps.

About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions