Select Page

Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric.

The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of “app names, package names, and similar icons,” the Dutch mobile security firm said.

Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker.

“Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim’s device,” the researchers said.

The malware-ridden apps used in conjunction with FluBot masquerade as DHL and Flash Player apps to infect the devices. In addition, recent attacks involving Medusa have expanded their focus beyond Turkey to include Canada and the U.S., with the operators maintaining multiple botnets for each of its campaigns.

images from Hacker News