Easy-to-program banking malware is increasingly becoming the rage in cybercrime, with the rise in Medusa infections in Europe and North America being yet another example. Focusing on countries like Spain, Turkey and the US, the plague being spread through fraudulent SMSs abuses Android’s accessibility services to steal data and perform transactions, while being highly customizable to attack any financial app.
Just a simple change in Medusa’s code, before distribution, and the creation of fake login screens and other attributes, for the actions to take effect. In the messages, the plague arrives disguised as apps from shipping companies such as DHL and Amazon or released versions of streaming services, as well as updates to the operating system itself. All it takes is a permission for fraudulent activities to start happening.
Through Android’s accessibility services, crooks can analyze notifications or perform actions in the background, as well as search for installed apps. Screenshots can be taken to obtain credentials, while the use of fake pages also provides this, in addition to allowing actions to be taken on the cell phone itself, in the user’s hand, while he waits, seeing a non-existent loading screen, for example.
Want to stay on top of the best tech news of the day? Access and subscribe to our new youtube channel, Kenyannews News. Every day a summary of the main news from the tech world for you!
ThreatFabric experts, responsible for the new alert involving Medusa, also called the TangleBot, and cite it as a highly capable threat, which can also record typing and record video and audio from cameras or microphones. The use of legitimate SMS delivery and website hosting services, as well as dynamic DNS, help to increase the appearance of legitimacy and increase the penetration of attacks.
partners in crime
Experts also point to a similarity between Medusa’s spread dynamics and another recent banking malware, FluBot. Also notorious in Europe and North America, the pest also used dynamic DNS systems and legitimate hosts to spread before adhering to SMS distribution systems.
Although it is not possible to say that it is the work of the same gang, the similar dynamics show a level of observation of the cybercrime market and also prove that the tactics work. So much so that Medusa’s own contaminations, which started in Turkey, now spread across two continents, while the ability to adapt should take it to even more regions in the near future.
Users must pay attention to messages that lead to the download of applications. Never download apps from outside the official Android operating system stores and be suspicious of requests related to the device’s accessibility systems; the ideal is never to click on links that arrive through these means and to ignore the contacts completely, while keeping security solutions always installed on the cell phone.
