Medusa banking trojan returns to steal your passwords and cash — how to stay safe

Share

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Email

Share this article

Join the conversation

Follow us

Add us as a preferred source on Google

Newsletter

Get the Tom's Guide Newsletter

Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!

Become a Member in Seconds

Unlock instant access to exclusive member features.

Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors

---

By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

You are now subscribed

Your newsletter sign-up was successful

---

Want to add more newsletters?

Daily (Mon-Sun)

Tom's Guide Daily

Sign up to get the latest updates on all of your favorite content! From cutting-edge tech news and the hottest streaming buzz to unbeatable deals on the best products and in-depth reviews, we’ve got you covered.

Signup +

Weekly on Thursday

Tom's AI Guide

Be AI savvy with your weekly newsletter summing up all the biggest AI news you need to know. Plus, analysis from our AI editor and tips on how to use the latest AI tools!

Signup +

Weekly on Friday

Tom's iGuide

Unlock the vast world of Apple news straight to your inbox. With coverage on everything from exciting product launches to essential software updates, this is your go-to source for the latest updates on all the best Apple content.

Signup +

Weekly on Monday

Tom's Streaming Guide

Our weekly newsletter is expertly crafted to immerse you in the world of streaming. Stay updated on the latest releases and our top recommendations across your favorite streaming platforms.

Signup +

---

Join the club

Get full access to premium articles, exclusive features and a growing list of member rewards.

Explore

---

An account already exists for this email address, please log in.

Subscribe to our newsletter

When a popular Android banking trojan goes dark, it’s usually good news—but not in this case. 

As reported by BleepingComputer, after almost a year of lying low, the Medusa banking trojan has returned in several campaigns targeting users of the best Android phones in the U.S., the U.K., Canada, France, Italy, Spain and Turkey.

While Medusa was already dangerous before, these new variants require fewer permissions and include new features that make it easier for the malware to commit fraud directly on a compromised smartphone.

Here’s everything you need to know about these new Medusa variants along with how you can keep yourself and your Android devices protected from banking trojans.

Using botnets to deliver malicious apps

According to a new report from the online fraud management firm Cleafy, these new Medusa variants were first spotted back in July of last year in several campaigns that used SMS phishing or smishing to side-load the malware with the help of dropper apps.

In total, the researchers have identified 24 separate campaigns with five of them attributed to botnets that were used to deliver malicious apps to unsuspecting users. Some of the dropper apps used in these campaigns include a fake Chrome browser, a 5G connectivity app and a fake streaming app called 4K Sports.

As Medusa is a malware-as-a-service offering where hackers pay a subscription fee to deploy the banking trojan, all of these campaigns and botnets are handled by its central infrastructure, which fetches links for its command and control (C2) server.

Smaller footprint but even more dangerous

To make it easier to install their banking trojan, Medusa’s creators have made it even smaller, and it now requests fewer permissions after installation. However, it still relies on Android’s Accessibility Services to function.

While 17 commands were removed from the previous version of this banking trojan, it retains its ability to access a victim’s contacts and send text messages to spread even further. There are some new commands, though, which give these Medusa variants the ability to uninstall apps, draw over apps, set a black screen overlay and take screenshots.

Of these, the screen overlay one is particularly dangerous since it can be used by a remote attacker to make an infected smartphone appear as if it has been turned off while malicious activities are performed in the background. Likewise, Medusa’s screenshot capability provides hackers with an easy way to steal sensitive information like passwords from an infected device.

We’ll be keeping a close eye on this improved banking trojan as its smaller size means that the hackers using it will be able to expand the scope of their attacks while targeting even more Android users.

How to stay safe from Android malware

As the Medusa banking trojan is often spread through dropper apps, you need to be extra careful when installing new apps on your smartphone. 

While sideloading apps may be convenient, it’s an easy way to come down with a nasty malware infection, especially if you’re downloading their APK files from less-than-trustworthy sources. For this reason, you should stick to official Android app stores like the Google Play Store, Amazon Appstore and the Samsung Galaxy Store.

At the same time, you also want to make sure that Google Play Protect is enabled on your Android phone as it scans all of your existing apps and any new ones you download for malware. For extra protection, you may also want to consider using one of the best Android antivirus apps alongside it.

Banking trojans can be quite lucrative for the hackers that use them in their attacks, so don’t expect this particular threat to disappear anytime soon.

More from Tom's Guide

• Urgent Windows security flaw lets hackers infect your PC over Wi-Fi
• Over 280 million at risk from malware-filled Chrome extensions 
• Chrome security alert — this error will open the malware floodgates on your PC