Print this page

Android Banking Trojan Medusa Piggybacking on FluBot’s Deliver System

Rate this item
(0 votes)

Reading time is around minutes.

The rise of the smart device meant that more and more people were going to be using these for more than just communication. Mobile banking, mobile home automation, mobile car monitoring, you name it, there is probably an app for it. With this new and powerful accessibility there comes risk. Attackers know that mobile security is not exactly where it should be, and that people are more trusting on their phones than they might be on their laptops and desktops (maybe). We also have the issue with how mobile apps access the information they have permissions to and display it to the user. To call mobile device security a mess would be a gross understatement.

Because of this state one of the most effective methods of insertion on a mobile device is via SMS Phishing (smishing). This method is used by two rather prominent Android banking Trojans, Medusa and FluBot. In fact, the two appear to be using the exact same smishing infrastructure as well as other identical or overlapping app and package names.

Medusa is dangerous because it gains an extreme amount of control over the device. It has functions that allow it to act as a keylogger. It abuses the Android Accessibility Service to perform actions on behalf of the user via an internal scripting engine. With this control is also possible to stream audio and/or video from the phone. Using this level of access, they can execute commands in any app that is installed on the user’s android device. One of the observed items is they can set automate who gets a transfer in a banking app using the fillfocus command. This allows them to set up semi-automated transfers of money to drain a target’s accounts.

The Keylogger is a bit of brilliant coding that allows them to observe UI based events from clicks to field inputs to even the unlock patter or code. Since the key logger also uses the Accessibility service it also allows visualization of what happened, not just the event or keystroke information. This level of control once a device is infected gives them greater access to credential compromise.

Although Medusa originally targeted banks in Turkey (ThreatFabric researchers believe they are from Turkey) it has branched out to target financial institutions outside of Turkey. There are indications that campaigns are targeting banks in the US and Canada. By pivoting off the same infrastructure as FluBot it gives them a wide variety of entry points. ThreatFabric noted malicious apps masquerading as DHL, Flash Players, and others. For DHL alone they saw 1700+ infected devices in the span of 24 hours.

This campaign represents a significant threat to mobile devices and mobile banking. It also highlights a weakness in mobile device security. Not just in prevention, but also in the ease of which this campaign can push out malicious versions of an app and people unwittingly download it from a message. This is a perfect example of the need for a more security focused culture not only in businesses, but in everyday life especially as phones are becoming the defacto BYOD item for most businesses. A trojan like Medusa could be the entry point to your organization while the threat group drains your employee’s bank account.


Sean Kalinich

Latest from Sean Kalinich

Related items