Medusa banking trojan returns to steal your passwords and cash — how to stay safe

Android malware botnet attack
(Image credit: Shutterstock)

When a popular Android banking trojan goes dark, it’s usually good news—but not in this case. 

As reported by BleepingComputer, after almost a year of lying low, the Medusa banking trojan has returned in several campaigns targeting users of the best Android phones in the U.S., the U.K., Canada, France, Italy, Spain and Turkey.

While Medusa was already dangerous before, these new variants require fewer permissions and include new features that make it easier for the malware to commit fraud directly on a compromised smartphone.

Here’s everything you need to know about these new Medusa variants along with how you can keep yourself and your Android devices protected from banking trojans.

Using botnets to deliver malicious apps

Stylized computer-aided illustration of interlinked blue robots illustrating the structure of a network botnet.

(Image credit: Shutterstock)

According to a new report from the online fraud management firm Cleafy, these new Medusa variants were first spotted back in July of last year in several campaigns that used SMS phishing or smishing to side-load the malware with the help of dropper apps.

In total, the researchers have identified 24 separate campaigns with five of them attributed to botnets that were used to deliver malicious apps to unsuspecting users. Some of the dropper apps used in these campaigns include a fake Chrome browser, a 5G connectivity app and a fake streaming app called 4K Sports.

As Medusa is a malware-as-a-service offering where hackers pay a subscription fee to deploy the banking trojan, all of these campaigns and botnets are handled by its central infrastructure, which fetches links for its command and control (C2) server.

Smaller footprint but even more dangerous

Android malware on phone

(Image credit: Shutterstock)

To make it easier to install their banking trojan, Medusa’s creators have made it even smaller, and it now requests fewer permissions after installation. However, it still relies on Android’s Accessibility Services to function.

While 17 commands were removed from the previous version of this banking trojan, it retains its ability to access a victim’s contacts and send text messages to spread even further. There are some new commands, though, which give these Medusa variants the ability to uninstall apps, draw over apps, set a black screen overlay and take screenshots.

Of these, the screen overlay one is particularly dangerous since it can be used by a remote attacker to make an infected smartphone appear as if it has been turned off while malicious activities are performed in the background. Likewise, Medusa’s screenshot capability provides hackers with an easy way to steal sensitive information like passwords from an infected device.

We’ll be keeping a close eye on this improved banking trojan as its smaller size means that the hackers using it will be able to expand the scope of their attacks while targeting even more Android users.

How to stay safe from Android malware

A hand holding a phone securely logging in

(Image credit: Google)

As the Medusa banking trojan is often spread through dropper apps, you need to be extra careful when installing new apps on your smartphone. 

While sideloading apps may be convenient, it’s an easy way to come down with a nasty malware infection, especially if you’re downloading their APK files from less-than-trustworthy sources. For this reason, you should stick to official Android app stores like the Google Play Store, Amazon Appstore and the Samsung Galaxy Store.

At the same time, you also want to make sure that Google Play Protect is enabled on your Android phone as it scans all of your existing apps and any new ones you download for malware. For extra protection, you may also want to consider using one of the best Android antivirus apps alongside it.

Banking trojans can be quite lucrative for the hackers that use them in their attacks, so don’t expect this particular threat to disappear anytime soon.

More from Tom's Guide

Anthony Spadafora
Senior Editor Security and Networking

Anthony Spadafora is the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to password managers and the best way to cover your whole home or business with Wi-Fi. Before joining the team, he wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.