Android banking Trojan Medusa has resurfaced after a yearlong hiatus, appearing with a more dangerous and sophisticated variant. Initially discovered in 2020, Medusa targeted Turkish financial institutions before expanding its reach to North America and Europe by 2022, causing significant financial harm. Now, the Trojan has returned with a new lightweight variant that requests fewer device permissions in an attempt to avoid detection.

According to cybersecurity experts from Cleafy, the new Medusa variant has been targeting Android users worldwide, including those located in the United States, Canada, Spain, France, Italy, the United Kingdom, and Turkey since July 2023. The resurgence of Medusa was initially detected through an increase in installs of a malicious app called "4K Sports," which hackers are using to distribute the malware.

One of the key changes in the upgraded Medusa is its reduced request for permissions, making it even sneakier. However, it still seeks Accessibility Services permission, which is a significant red flag. By obtaining Accessibility permissions, the malware gains wide-ranging control over the infected device. Additionally, Medusa's new variant also requests Broadcasting SMS, Internet Foreground Service, and Package Management permissions.

The reemerging Trojan has undergone modifications, with 17 fewer commands than its previous version. However, it has introduced five new commands, including the ability to set a black screen overlay and capture screenshots. Interestingly, hackers have been employing various apps to distribute Medusa, such as "4K Sports," fake versions of Google Chrome, InatTV, Purolator, and 5G. In the United States, Chrome, InatTV, and Purolator are the primary apps being misused by the hackers.

Cleafy's investigation reveals the existence of two separate Medusa botnet groups operating in distinctive ways. The first group, consisting of AFETZEDE, ANAKONDA, PEMBE, and TONY botnets, mainly focuses on targeting individuals in Turkey, but also extends its reach to Canada and the United States. This group employs conventional Medusa tactics, including phishing techniques.

On the other hand, the second group, operating the UNKN botnet, demonstrates a change in Medusa's strategy by primarily targeting European users in countries like Italy and France. In a departure from its usual approach, this group has been distributing the new malware variant through apps downloaded from untrusted sources, signaling a shift in the hackers' dissemination tactics.

The threat posed by mobile malware, exemplified by the resurgence of Medusa, requires heightened awareness and proactive measures to protect personal data. To safeguard against such attacks, users are advised to exercise caution when handling phishing attempts, utilize robust antivirus software, exclusively download apps from trusted sources like the Google Play Store, and consider using an identity theft protection service.

Furthermore, users should regularly monitor their accounts for any unauthorized activity, enable SMS notifications for their bank accounts, set up two-factor authentication (2FA), use password managers, and ensure their devices' operating systems and apps are always up-to-date.

As Medusa continues to evolve and pose risks to Android users globally, it is crucial for individuals to adopt best cybersecurity practices and remain vigilant against potential threats.