Android banking Trojan evolves to evade detection and strike globally

Android banking Trojan Medusa has returned after almost a yearlong hiatus and is now even more dangerous. The new variant of the Trojan is lightweight and requests fewer device permissions to avoid detection.

First identified in 2020, Medusa is a Turkish-linked banking Trojan that initially targeted Turkish financial institutions. 

It expanded rapidly by 2022, launching major campaigns in North America and Europe, causing significant monetary harm. Medusa’s new variant is now targeting Android users across the globe, including those located in the U.S., Canada, Spain, France, Italy, the U.K. and Turkey.


1 Android banking trojan evolves to evade detection and strike globally intro

A man looking at his Android phone. (Kurt “CyberGuy” Knutsson)

How does the Medusa Android Trojan evade detection?

Since July 2023, Medusa attacks are back with a new version. Cybersecurity experts from Cleafy found a spike in the number of installs of an app called “4K Sports.” This app is being used by hackers to put malware on people’s Android phones. The new malware is an upgraded Medusa with big changes in how it works.

It asks for fewer permissions, making it sneakier. It still requests Accessibility Services, which is a big red flag. Android’s Accessibility Service is a powerful tool that helps people with disabilities use mobile devices more easily. When you grant an app Accessibility permissions, you’re essentially giving it the ability to do whatever it wants on your phone.


Cybercriminals are aware of this, so most malware that infects your phone will ask for Accessibility permissions. You should be immediately suspicious when an app requests permissions in this area. Medusa’s new variant also requests Broadcasting SMS, Internet Foreground Service and Package Management permissions.

The Android Trojan now has 17 fewer commands than before but adds five new ones, like setting a black screen overlay, taking screenshots and more.

Cleafy reveals that hackers are using not only the 4K Sports app to install Medusa but also fake apps like Google Chrome, InatTV, Purolator and 5G. In the U.S., Chrome, InatTV and Purolator are the main apps being misused by these hackers.

2 Android banking trojan evolves to evade detection and strike globally details

A person on their Android phone. (Kurt “CyberGuy” Knutsson)


What is the scale of the Medusa cyberattack?

Medusa is going after people all over the world, including the U.S. and Europe. Cleafy found two different Medusa botnet groups, each working in its own way.

The first group, with botnets named AFETZEDE, ANAKONDA, PEMBE and TONY, mainly targets people in Turkey but also hits Canada and the U.S. They use Medusa’s usual tricks, like phishing, to spread the malware.

The second group, including the UNKN botnet, shows a change in Medusa’s strategy. It mainly targets European users, especially in Italy and France. Unlike the usual variants, some of these new ones were installed through apps downloaded from untrusted sources. This means the hackers are trying new ways to spread the malware beyond the usual phishing tactics.

3 Android banking trojan evolves to evade detection and strike globally hack

Illustration of a cybercriminal. (Kurt “CyberGuy” Knutsson)


10 ways you can protect yourself from the Android banking Trojan

While a Trojan is hard to detect and can be dangerous once it enters your phone, there are several things you can do to protect your data.

1. Be cautious of phishing attempts: Be vigilant about emails, phone calls or messages from unknown sources asking for personal information. Avoid clicking on suspicious links or providing sensitive details unless you can verify the legitimacy of the request.

2. Have strong antivirus software: Android has its own built-in malware protection called Play Protect, but it’s not enough to stop all malicious software. Historically, Play Protect hasn’t been 100% foolproof at removing all known malware from Android phones. The best way to protect yourself from clicking malicious links that install malware that may get access to your private information is to have antivirus protection installed on all your devices. This can also alert you of any phishing emails or ransomware scams. Get my picks for the best 2024 antivirus protection winners for your Windows, Mac, Android and iOS devices.

3. Download apps from reliable sources: It’s important to download apps only from trusted sources like the Google Play Store. They have strict checks to prevent malware and other harmful software. Avoid downloading apps from unknown websites or unofficial stores, as they can pose a higher risk to your personal data and device.


4. Use an identity theft protection service: Identity Theft companies can monitor personal information like your Social Security Number (SSN), phone number and email address and alert you if it is being sold on the dark web or being used to open an account. They can also assist you in freezing your bank and credit card accounts to prevent further unauthorized use by criminals. 

One of the best parts of using some services is that they might include identity theft insurance of up to $1 million to cover losses and legal fees and a white glove fraud resolution team where a U.S.-based case manager helps you recover any losses. See my tips and best picks on how to protect yourself from identity theft. 

5. Monitor your accounts: If you think you have been affected by the banking Trojan, regularly review your bank statements, credit card statements and other financial accounts for any unauthorized activity. If you notice any suspicious transactions, report them immediately to your bank or credit card company.

6. Enable SMS notifications for your bank accounts: By enabling SMS notifications, you can monitor your accounts for any unauthorized transactions.

7. Set up two-factor authentication (2FA): 2FA is an extra shield that prevents hackers from accessing your accounts.

8. Use a password manager: A password manager can help you create and store strong, unique passwords for all your accounts, reducing the risk of password theft.

9. Regularly update your device’s operating system and apps: Keeping your software up to date is crucial, as updates often include security patches for newly discovered vulnerabilities that could be exploited by Trojans.

10. Be wary of granting permissions: Carefully review the permissions requested by apps. If an app asks for more access than it needs for its functionality, it could be a red flag.


Kurt’s key takeaways

Hackers behind Medusa have made the malware hard to detect. They use apps that look legitimate to get the malware onto your phone and steal your personal data and sometimes your money. As a rule of thumb, only download apps from the Google Play Store. Google ensures it only allows secure apps on its platform and is safer than any other app store.

What are your thoughts on the increasing sophistication of mobile malware like the Medusa Trojan, and how do you think the cybersecurity industry should respond? Let us know by writing us at

For more of my tech tips and security alerts, subscribe to my free CyberGuy Report Newsletter by heading to

Ask Kurt a question or let us know what stories you’d like us to cover.

Follow Kurt on his social channels:

Answers to the most-asked CyberGuy questions:

Copyright 2024 All rights reserved.

Source link

About The Author

Scroll to Top