Medusa Android malware returns to target users around the world — here's how to stay safe

In their report, the researchers said they recently observed a surge in installations of a new app called “4K Sports”. Subsequent investigation determined the app to be an evolution of Medusa, with significant changes in its command infrastructure and capabilities.

Expanding targets

Most notably, the new variant requests fewer permissions, making it less detectable. It still asks for Accessibility Services, which should always be a red flag. Other notable mentions include Broadcasting SMS, Internet Foreground Service, and Package Management.

In total, 17 commands were nixed, and five new ones introduced, including setting a black screen overlay, taking screenshots, and more.

Five different botnets, each with unique operational goals and geographical targets, were identified using the new Medusa. These are called UNKN, AFETZEDE, ANAKONDA, PEMBE, and TONY, and their targets were mostly located in Canada, Spain, France, Italy, the UK, the US, and Turkey.

To distribute Medusa, the botnets are most likely using droppers, the researchers said. However, the droppers have not yet been found on the Google Play Store, which significantly reduces its reach. However, dedicated websites, social media channels, phishing, and other methods, are still viable and can still result in hundreds of thousands of downloads. 

Not to be confused with the ransomware, or the Mirai-based botnet of the same name, the Medusa banking trojan is a sophisticated piece of malware primarily designed to target financial institutions and facilitate banking fraud. It was first identified in 2020, targeting Turkish financial institutions. By 2022, Medusa had launched major campaigns in North America and Europe.

More from TechRadar Pro

• The Medusa ransomware group is getting serious
• Here's a list of the best firewalls today
• These are the best endpoint protection tools right now