Android Banking Trojan Spreading by Imitating Methods Used by Another Malware Threat

Android Banking Trojan Spreading by Imitating Methods Used by Another Malware Threat

Two potent kinds of Android malware are being distributed in cyberattacks using the same infection methods and delivery infrastructure. According to cybersecurity researchers at ThreatFabric, operations involve FluBot malware (aka Cabassous) and an Android banking trojan called Medusa. 

FluBot is a well-known Android malware that steals passwords, bank account information, and other sensitive data from affected smartphones. It also acquires access to contact books to disseminate itself to additional victims via malicious SMS messages typically disguised as a missed product delivery notification. FluBot has become so widespread that even national cybersecurity authorities have issued alerts.

Other cybercriminals have taken notice of FluBot’s success, to the point that those behind Medusa, which is meant to capture sensitive information via keylogging, screenshots, and data about how the phone is used, have imitated its strategies for distributing their malware.

Medusa efforts have been observed employing the same program names, package names, and similar symbols as successful FluBot operations, including one that sends malware URLs in messages ostensibly from DHL. But Medusa campaigns aren’t simply similar to FluBot attacks in appearance; they’re also delivered using the same SMSishing service. Although the malware isn’t new (it first appeared in 2020), innovative methods might make Medusa a widespread danger for Android users.

“Despite the fact that Medusa is not extremely widespread at the moment, we do see an increase in volume of campaigns and a sufficiently greater number of different campaigns,” warn ThreatFabric researchers.

While most FluBot malware attacks target victims in Europe, Medusa has a far broader reach. The malware began by targeting people in Turkey, but it has since expanded to include North American and European nationals. Researchers said that Medusa, which has many remote access features, poses a severe danger to financial institutions in targeted countries.

The increased distribution of Medusa, on the other hand, does not indicate that FluBot will become any less of a problem. According to the researchers, FluBot’s authors are still adding new features, such as the ability to alter or interact with app alerts. This allows attackers to modify apps, enabling them to drive users to apps from which they wish to steal information and take control of chat apps.

Both Medusa and FluBot continue to pose a threat to Android users, but some actions may be taken to minimize the risk of becoming a victim. One of them is that no organization will urge you to download an application through a direct link. Thus, any unexpected text message requesting you to do so should be treated with suspicion. Users will prevent infection if they do not click on such links.

About the author

CIM Team

CIM Team

CyberIntelMag is the trusted authority in cybersecurity, comprised of leading industry experts for over 20 years, dedicated to serving cybersecurity professionals. Our goal is to provide a one-stop shop for knowledge and insight needed to navigate throughout today’s emerging cybersecurity landscape through in-depth coverage of breaking news, tutorials, product reviews, videos and industry influencers.