Medusa Trojan

The Medusa trojan is a banking trojan that spreads via SMS phishing, enticing users to click on malicious links.

The Medusa trojan is a banking trojan that spreads via SMS phishing, enticing users to click on malicious links. Once this trojan is installed, the device user is asked to grant it accessibility services permission, which is used to grant the application more permissions. The trojan features many capabilities, including keylogging, stealing data from clipboards, screencasting, and sending event logs to a command-and-control server.

The threat actors behind Medusa are from Turkey, and their first campaign focused on banks within that country. However, subsequent attacks have hit users across North America and Europe, and more than 76 banks have been targeted. Medusa was first discovered in July 2020. 

In addition to more common tactics like keylogging and clipboard data theft, this trojan has employed other more novel capabilities: 

  • The trojan introduced semi-ATS (Automatic Transfer System) capability. 
  • An accessibility scripting service that could perform a set of actions on the victim’s behalf. Accessibility events are logging mechanisms in the malware. 

Threats Posed by Medusa to Mobile Banking Apps

  • Data Theft: Medusa is designed to steal sensitive information from the user’s device. This theft includes login credentials for banking apps, credit card information, and personal identification details.
  • Keylogging: The trojan can capture keystrokes, recording everything the user types on their device. This information includes usernames, passwords, PINs, and other sensitive data entered into mobile banking apps.
  • SMS Intercept: Medusa can intercept SMS messages on the infected device. Intercepted messages could include one-time passwords (OTPs) and transaction verification codes sent by mobile banking apps, potentially allowing attackers to bypass two-factor authentication.
  • Overlay Attacks: Medusa can employ overlay attacks, displaying fake login screens that mimic legitimate mobile banking apps. Users may unwittingly enter their credentials into these deceptive interfaces, which are then captured by the trojan.
  • Device Information Theft: Medusa can gather device-specific information, such as device identifiers, phone numbers, and operating system details. This information may be used for tracking and profiling users.
  • Remote Control: The trojan connects to the attackers’ command and control (C2) server. This connection enables remote control of the infected device, allowing attackers to execute various commands, including unauthorized transactions.

Mitigating the Threat of Medusa

To protect your mobile banking app and its users from the Medusa banking trojan and similar threats, consider implementing the following security measures:

  • Regular Updates: Keep your mobile banking app and its dependencies up-to-date with the latest security patches and enhancements to address known vulnerabilities.
  • User Education: Educate users about the importance of downloading the official app from trusted sources, avoiding suspicious links or downloads, and being cautious with app permissions.
  • Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
  • Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
  • Secure Coding: Follow secure coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
  • Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
  • Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
  • Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.

By taking these precautions, you can help safeguard your mobile banking app and protect your users from the threats posed by the Medusa banking trojan and other evolving malware.

Learn More about Banking Trojan Families

Medusa is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:

Related Content

Receive Zimperium proprietary research notes and vulnerability bulletins in your inbox

Get started with Zimperium today