Medusa Malware Joins Flubot’s Android Distribution Network

Flubot, the Android spyware that’s been spreading virally since last year, has hitched its infrastructure wagon up to another mobile threat known as Medusa.

That’s according to ThreatFabric, which found that Medusa is now being distributed through the same SMS-phishing infrastructure as Flubot, resulting in high-volume, side-by-side campaigns.

The Flubot malware (aka Cabassous) is delivered to targets through SMS texts that prompt them to install a “missed package delivery” app or a faux version of Flash Player. If a victim falls for the ruse, the malware is installed, which adds the infected device to a botnet. Then, it sets about gaining permissions, stealing banking information and credentials, lifting passwords stored on the device and squirreling away various pieces of personal information.

The malicious implant also sends out additional text messages to the infected device’s contact list, which allows it to “go viral” – like the flu.

Apparently, Medusa likes the cut of Flubot’s jib: “Our threat intelligence shows that Medusa followed with exactly the same app names, package names and similar icons,” ThreatFabric researchers noted in a Monday analysis. “In less than a month, this distribution approach allowed Medusa to reach more than 1,500 infected devices in one botnet, masquerading as DHL.”

And that’s just for one botnet. ThreatFabric pointed out that Medusa has multiple botnets carrying out multiple campaigns.

Unlike Flubot, which mainly spreads in Europe, Medusa is more of an equal-opportunity threat when it comes to geography. Recent campaigns have targeted users from Canada, Turkey and the United States.

“After targeting Turkish financial organizations in its first period of activity in 2020, Medusa has now switched its focus to North America and Europe, which results in [a] significant number of infected devices,” ThreatFabric researchers noted. “Powered with multiple remote-access features, Medusa poses a critical threat to financial organizations in targeted regions.”

Medusa Bursts on the Scene

First discovered in July 2020, Medusa (related to the Tanglebot family of RATs) is a mobile banking trojan that can gain near-complete control over a user’s device, including capabilities for keylogging, banking trojan activity, and audio and video streaming. To boot, it has received several updates and improved in its obfuscation techniques as it hops on Flubot’s infrastructure coattails, researchers said.

For one, it now has an accessibility-scripting engine that allows actors to perform a set of actions on the victim’s behalf, with the help of Android Accessibility Service.

“By abusing Accessibility Services, Medusa is able to execute commands on any app that is running on a victim’s device,” researchers noted. “A command like ‘fillfocus’ allows the malware to set the text value of any specific text box to an arbitrary value chosen by the attacker, e.g., the beneficiary of a bank transfer.”

Accessibility events logging is a companion upgrade to the above. With a special command, Medusa can collect information about active windows, including the position of fields and certain elements within a user interface, any text inside those elements, and whether the field is a password field.

“Having all the data collected the actor is able to get a better understanding of the interface of different applications and therefore implement relevant scenarios for accessibility scripting feature,” according to ThreatFabric. “Moreover, it allows actor(s) to have deeper insight on the applications the victim uses and their typical usage, while also [being able] to intercept some private data.”

The following snippet shows the code that collects the information of active window going through its nodes:

Further, in examining Medusa’s back-end panels, researchers observed the malware’s operators marking banking apps with a “BANK” tag, to control/log the input fields.

“This means that any banking app in the world is at risk to this attack, even those who do not fall within the current target list,” they warned.

The command-and-control server (C2) can also command Medusa to carry out a wide variety of RAT work, including clicking on a specific UI element, sleeping, screenshotting, locking the screen, providing a list of recent apps and opening recent notifications.

Flubot Evolves Its Capabilities

The researchers also noticed that the addition of Medusa to the mix hasn’t slowed down Flubot’s own development. They explained that it now has a “novel capability never seen before in mobile banking malware.”

To wit: In version 5.4, Medusa picked up the ability to abuse the “Notification Direct Reply” feature of Android OS, which allows the malware to directly reply to push notifications from targeted applications on a victim’s device. The user isn’t aware of the activity, so Flubot can thus intercept them – opening the door to thwarting two-factor authentication and more, researchers said.

“Every minute the malware sends the statistics to the C2 about the notifications received,” they explained. “As a response, it might receive a template string that will be used to re-create an object of intercepted notification with updated parameters, thus allowing [Flubot] authors to arbitrarily change notification content…We believe that this previously unseen capability can be used by actors to sign fraudulent transactions on [a] victim’s behalf, thus making notifications [a] non-reliable authentication/authorization factor on an infected device.”

Another potential abuse of this functionality could be to respond to social-application interactions with “notifications” containing malicious phishing links.

“Considering the popularity of these type of apps and the strong focus of [Flubot] on distribution tactics, this could easily be the main MO behind this new Notification Direct Reply Abuse,” according to ThreatFabric.

Check out our free upcoming live and on-demand online town halls – unique, dynamic discussions with cybersecurity experts and the Threatpost community.