A new variant of the Android banking trojan Medusa [3] [4] [6] [7], now known as TangleBot [1] [2] [3] [6] [8], has emerged targeting users in several countries [1]. This updated version poses a significant threat to users’ financial security and privacy.

Description

The latest Medusa variant [1], TangleBot [1] [2] [3] [6] [8], is targeting users in Canada [2] [3] [4] [7] [8], France [1] [2] [3] [4] [5] [6] [7] [8], Italy [1] [2] [3] [4] [5] [6] [7] [8], Spain [1] [2] [3] [4] [5] [6] [7] [8], Turkey [1] [2] [3] [4] [5] [6] [7] [8], the UK [2] [3] [4] [5] [6] [7] [8], and the US [2] [3] [4] [7] [8]. These new variants are more dangerous [1], capable of initiating transactions directly on compromised Android devices [1]. They feature keylogging, screen controls [1] [5] [6], SMS message reading capabilities [6], call recording, and unauthorized fund transfers using overlay attacks [2] [5] [8]. Medusa [1] [2] [3] [4] [5] [6] [7] [8], also known as TangleBot [1] [2] [3] [6] [8], has evolved with lightweight permissions [6], full-screen overlay displays [2] [3] [6] [7] [8], and remote application uninstallation [3] [6]. Its RAT capabilities allow for real-time screen sharing and control of compromised devices [6], facilitating account takeover and fraudulent fund transfers [6]. Recent variants of Medusa are lighter [1], require fewer device permissions [1], and include features like screenshot capturing and full-screen overlaying [1]. The trojan is distributed through dropper apps and fake updates [2] [8], with a reduction in permissions sought to evade detection [8]. Medusa has expanded into new regions like Italy and France [2] [7] [8], diversifying its victim pool and attack surface [2] [3] [7] [8]. Additionally, other Android malware like Cerberus and SpyMax are being distributed through fake Chrome browser updates and bogus Telegram apps [2] [7] [8], compromising user privacy and data integrity [2] [7] [8]. The new fraud campaigns [4], observed in May 2024 and active since July 2023 [4], are operated through five different botnets by various affiliates [4], according to cybersecurity firm Cleafy’s analysis [4]. The evolving nature of Medusa underscores the need for cybersecurity experts to remain vigilant against emerging threats [6]. The trojan reduces permissions by exploiting Android accessibility services API and uses black screen overlays for phishing attacks [5]. The attack surface includes victims in Italy and France [5], with the threat actor having remote control over the victim’s devices to access personal/private information [5].

Conclusion

The emergence of TangleBot highlights the increasing sophistication of Android banking trojans and the need for enhanced cybersecurity measures. Users should be cautious of suspicious apps and updates, and regularly update their devices to protect against such threats. Cybersecurity experts must continue to monitor and analyze evolving malware like Medusa to develop effective countermeasures and protect users from financial fraud and privacy breaches.

References

[1] https://www.purevpn.com/blog/news/medusa-banking-trojan-resurfaces-targets-android-users-in-multiple-countries/
[2] https://www.hacking.reviews/2024/06/new-medusa-android-trojan-targets.html
[3] https://www.aroged.com/2024/06/26/new-versions-of-the-medusa-android-banking-trojan-are-spreading-around-the-world/
[4] https://github.com/SecOpsNews/news/issues/30415
[5] http://devbytes.co.in/news/new-medusa-trojan-variants-are-targeting-android-users-in-7-countries-1
[6] https://www.techworm.net/2024/06/medusa-android-trojan-variant-bank.html
[7] https://thehackernews.com/2024/06/new-medusa-android-trojan-targets.html
[8] https://www.toddpigram.com/2024/06/new-medusa-android-trojan-targets.html