Medusa Android malware returns to target users around the world — here's how to stay safe

News
By published

After a year-long hiatus, Medusa is back

An abstract image of padlocks overlaying a digital background.
(Image credit: Shutterstock) (Image credit: Shutterstock)

Medusa, an Android banking trojan that had been laying low for roughly a year now, has made a fresh appearance, experts have warned

A new, lightweight Medusa variant has been seen being used by multiple threat actors, and targeting victims in numerous countries around the world, noted cybersecurity researchers from Cleafy.

In their report, the researchers said they recently observed a surge in installations of a new app called “4K Sports”. Subsequent investigation determined the app to be an evolution of Medusa, with significant changes in its command infrastructure and capabilities.

Expanding targets

Most notably, the new variant requests fewer permissions, making it less detectable. It still asks for Accessibility Services, which should always be a red flag. Other notable mentions include Broadcasting SMS, Internet Foreground Service, and Package Management.

In total, 17 commands were nixed, and five new ones introduced, including setting a black screen overlay, taking screenshots, and more.

Five different botnets, each with unique operational goals and geographical targets, were identified using the new Medusa. These are called UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, and their targets were mostly located in Canada, Spain, France, Italy, the UK, the US, and Turkey.

To distribute Medusa, the botnets are most likely using droppers, the researchers said. However, the droppers have not yet been found on the Google Play Store, which significantly reduces its reach. However, dedicated websites, social media channels, phishing, and other methods, are still viable and can still result in hundreds of thousands of downloads. 

Not to be confused with the ransomware, or the Mirai-based botnet of the same name, the Medusa banking trojan is a sophisticated piece of malware primarily designed to target financial institutions and facilitate banking fraud. It was first identified in 2020, targeting Turkish financial institutions. By 2022, Medusa had launched major campaigns in North America and Europe.

More from TechRadar Pro

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
Code Skull
US government warns Medusa ransomware has hit hundreds of critical infrastructure targets
Malware worm
Coordinated global mobile malware campaign targets banking apps and cryptocurrency platforms
DeepSeek
Fake DeepSeek installers are infecting your device with dangerous malware
A display showing off the Google TV homepage, with icons for 1917, Scoob!, YouTube and Twitch (among others)
This dangerous malware botnet now covers 1.6 million Android TVs - find out if you're at risk
A white padlock on a dark digital background.
A new and dangerous keylogger is on the loose - here's how to stay safe
Latest in Security
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Coinbase targeted after recent Github attacks
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
IBM office logo
IBM to provide platform for flagship cyber skills programme for girls
Latest in News
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
A phone showing a ChatGPT app error message
ChatGPT was down for many – here's what happened
AirPods Max with USB-C in every color
Apple's AirPods Max with USB-C will get lossless audio in April, but you'll need to go wired
More about security
An abstract image of digital security.

Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft

"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
A close up of a xenomorph with Earth reflected on its head in the Alien: Earth TV show teaser

Disney+ celebrates 5 years of streaming with 2025 lookahead – here are 3 movies and shows I can't wait to watch
See more latest
Most Popular
Shape of Russia filled with Russian flag-colored internet codes on a black hacking background
A new wave of blocks in Russia targets VPN apps and Cloudflare subnets
An abstract image of digital security.
Fake file converters are stealing info, pushing ransomware, FBI warns
Microsoft
"Another pair of eyes" - Microsoft launches all-new Security Copilot Agents to give security teams the upper hand
Ncuti Gatwa as The Fifteenth Doctor in Doctor Who
Disney+ drops new trailer for Doctor Who season 2 that promises an epic adventure across time and space
Cassian Andor looking nervously over his shoulder in Andor season 2
New Andor season 2 trailer has got Star Wars fans asking the same question – and it includes an ominous call back to Rogue One's official teaser
23andMe
23andMe is bankrupt and about to sell your DNA, here's how to stop that from happening
Lock on Laptop Screen
Medusa ransomware is able to disable anti-malware tools, so be on your guard
hacker.jpeg
Key trusted Microsoft platform exploited to enable malware, experts warn
A screenshot from Indiana Jones and the Great Circle showing Indiana Jones
Indiana Jones and the Great Circle finally gets PS5 release date and I can't wait to don the fedora and crack the whip
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 25 (game #387)