Recent discoveries by Cleafy researchers have revealed new fraud campaigns involving the Medusa banking Trojan, also known as TangleBot [1], which have resurfaced after nearly a year of evading detection [1].


Significant changes in this sophisticated malware family have been identified, including remote access Trojan (RAT) capabilities like keylogging [1], screen control [1], and SMS reading/writing [1]. These capabilities enable threat actors to execute on-device fraud (ODF) [1], a highly dangerous form of banking fraud [1]. The latest Medusa variants target Android users in countries like the US, UK, Canada [2] [3], France [2] [4], Italy [2] [4], Spain [2], and Turkey [2], requiring fewer permissions and incorporating features such as capturing screenshots [3], using full-screen overlays for direct fraud on compromised smartphones [3], and utilizing Android’s Accessibility Services [2]. The malware has evolved to include new capabilities like uninstalling apps, drawing over apps [3], setting black screen overlays [3], and taking screenshots [3], making it even more dangerous for stealing sensitive information and expanding attacks on Android users. Cleafy has identified five different botnets operated by affiliates [1], each targeting different geographical areas and using unique decoys [1]. Distribution strategies have shifted to include SMS phishing campaigns and dropper apps, with some campaigns attributed to botnets [3]. The malware coordinates its functionalities through a web secure socket connection to the attackers’ infrastructure [1], dynamically fetching the command-and-control (C2) server URL from social media profiles like Telegram and X (formerly Twitter) [1]. This dynamic retrieval increases resilience against takedown attempts [1], and the latest Medusa variant’s strategic shift minimizes required permissions and evades detection [1], allowing it to operate undetected for longer periods [1]. The evolving nature of Medusa [1], with reduced permissions [1], geographical diversification [1], and sophisticated distribution methods [1], underscores the need for cyber-security experts and anti-fraud analysts to stay vigilant and adapt their defenses to counter these emerging threats [1]. The latest observations by Cleafy’s Threat Intelligence team have noted a surge in installations of a new app called “4K Sports,” potentially linked to the Medusa [1] [2] [3] [4] family. Medusa, a Turkish-linked banking Trojan [4], has evolved significantly since 2020 [4], expanding its scope globally [4]. The Trojan grants attackers complete control over compromised devices [4], enabling On-Device Fraud (ODF) and Dynamic Overlay Attacks [4]. Medusa’s functionalities are coordinated through a dynamic C2 server URL fetched from public social media profiles for enhanced obfuscation [4]. Recent campaigns have shown a shift in TTPs and country targets [4], with two distinct botnet clusters identified [4]. The latest Medusa variant demonstrates a strategic shift towards a lightweight approach [4], minimising permissions to evade detection and expand into new regions like Italy and France [4]. The adoption of droppers as a distribution method signals an evolution in Medusa’s threat capabilities [4], requiring continued monitoring and analysis by cyber-security experts [4].


The evolving tactics and capabilities of the Medusa banking Trojan pose a significant threat to Android users globally. Cyber-security experts must remain vigilant and adapt their defenses to counter these emerging threats [1]. The surge in installations of the “4K Sports” app linked to Medusa underscores the need for heightened awareness and proactive measures to mitigate the risks posed by this sophisticated malware. Continued monitoring and analysis are essential to stay ahead of the evolving threat landscape.