June 25, 2024 at 01:06PM
The Medusa banking trojan, known as TangleBot, has resurfaced with lighter variants targeting countries in Europe and North America. The new activity involves SMS phishing and uses dropper applications to infect devices. The trojan has minimized its permissions, added new features, and is centralizing its operations for easier control. The recent campaigns aim to exploit the ongoing UEFA EURO 2024 championship. While not yet on Google Play, the trojan is expected to diversify distribution strategies as cybercriminal participation in MaaS grows.
From the meeting notes, the key takeaways are:
– The Medusa banking trojan for Android, also known as TangleBot, has re-emerged after a period of lying low and is now targeting several countries including France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey.
– The recent activity of the trojan involves more compact variants that require fewer permissions and come with new features aimed at initiating transactions directly from the compromised device.
– Cleafy, an online fraud management company, has been tracking the new campaigns and discovered that the recent Medusa variants are lighter and require fewer permissions on the device, and include full-screen overlaying and screenshot capturing.
– The recent Medusa variants have been observed in campaigns using SMS phishing to side-load the malware through dropper applications and have been attributed to five separate botnets (UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY).
– The choice of bait apps, such as the 4K Sports streaming app, seems timely given the ongoing UEFA EURO 2024 championship.
– The new Medusa variant has reduced its footprint on compromised devices and now requires only a small set of permissions while still requiring Android’s Accessibility Services.
– The malware has added new commands and capabilities, such as the ability to uninstall a specific application, request ‘Drawing Over’ permission, set a black screen overlay, take a screenshot, and update user secrets.
– The capability to capture screenshots gives threat actors a new way to steal sensitive information from infected devices.
– Overall, the Medusa mobile banking trojan operation appears to be expanding its targeting scope and becoming stealthier, indicating a potential for more significant deployment and higher victim counts.
These are the main points extracted from the meeting notes. Let me know if you need further details or specific analysis.