Experts Warn of the Resurgence of Medusa Android Banking Trojan

According to experts, the Android banking trojan Medusa, which has been missing for about a year, has reappeared with a new and improved version. Cybersecurity researchers at Cleafy are drawing attention to the new version of Medusa, which is widely used in many countries around the world and heavily utilized by various threat actors.

Researchers noted that the recently popular “4K Sports” application contains the new version of Medusa. Investigations revealed that this new version requests fewer permissions compared to previous ones, making it harder to detect. However, the application still requests access to Accessibility Services. Additionally, while 17 commands were removed in the new Medusa version, five new commands have been added. In this new version, five different botnets named UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY were identified, and these botnets are mainly active in countries such as Canada, Spain, France, Italy, the UK, the US, and Turkey.

Researchers mentioned that botnets use droppers to spread Medusa. Although the fact that it has not appeared on the Google Play Store so far makes it difficult for the malware to spread, it was warned that through methods such as private websites, social media channels, and phishing, it could reach hundreds of thousands of downloads.

Medusa is a sophisticated type of malicious software that targets financial institutions and aims to facilitate banking fraud. When it first emerged targeting Turkish financial institutions in 2020, Medusa should not be confused with ransomware or Mirai-based botnets.