Again?! Combating the Resurgence of the Medusa Banking Trojan

The resurgence of the Medusa banking trojan poses a significant threat to Android users in seven countries, stealing financial information through sophisticated methods. Banks and credit unions can protect customers by educating them on detection, removal and prevention strategies, fostering trust and security.

Just as the gaze of the mythical Medusa turned onlookers to stone, the recent resurgence of the Medusa banking trojan stunned banks and credit unions. Financial institutions continue to field calls from customers fearing they’ve been infected and that their financial assets have been wiped out.

By understanding and conveying the threat and mitigations to all stakeholders, officials at banks and credit unions can safeguard funds and forge a stronger connection with their customers and members.

A Stealthier Banking Trojan Re-emerges

The Medusa banking trojan first surfaced in 2020 to steal sensitive financial information from Android devices. It spread through phishing emails and messages from seemingly trustworthy sources, prompting users to unwittingly download and install the malware that surreptitiously steals banking credentials.

Its developers have continuously updated the trojan, adding sophisticated features like keylogging, screen capturing and remote-control capabilities. This adaptability allowed Medusa to bypass many traditional anti-malware defenses, contributing to its early successes.

One new feature allows the attacker to display a full black screen on the target device, creating the illusion that it is locked or turned off. This acts as camouflage for conducting malicious operations undetected.

Initial fervor died down until this summer, when security researchers at Cleafy released a report warning that a new, stealthier version of Medusa was gaining traction among Android users in seven countries: Canada, France, Italy, Spain, Turkey, the United Kingdom and the United States.

Those targeted countries distinguish Medusa, as threat actors typically prefer to target users in nations with less stringent cyber laws, according to Laurie Kirk, a Seattle-based software engineer turned security researcher. Otherwise, she says, “it’s doing what banking trojans have done basically since the dawn of time. That is, to perform gestures on behalf of the user and take control of the device, which is alarming for financial institutions in particular.”

This newest Medusa variant has elevated its social engineering game (Kirk noted some fake sites and apps look remarkably real) and advanced its evasion techniques, such as using polymorphic code to change its signature and avoid detection. As a result, financial institutions must be even more vigilant in gathering threat intelligence to find and track malicious campaigns based on their branding — and warn customers of such ploys.

How to Detect and Remove the Malware

The cybersecurity professionals interviewed for this piece advise banks and credit unions to alert staff and stakeholders about the threat and provide documentation that explains in accessible terms how to detect and remove the malware. They should also help consumers establish best practices to reduce future cyber risks. Leadership should consider sending out information on this and other dangerous and disruptive malware through chosen communications channels, including websites, blogs and/or direct mail.

Customer service departments may need to update their incident response playbooks to include the following, which comes from various cybersecurity websites.

Key signs that someone’s device is infected with the Medusa banking trojan (or similar malware):

  • Unusual battery drain or data usage
  • Unexpected app permissions
  • Slow device performance
  • Unexpected pop-ups or redirects
  • Unauthorized transactions on bank statements
  • Unexplained screenshots
  • Increased notifications

Actions advised for those who appear to have infected devices:

  • Uninstall all suspicious apps (presumably downloaded outside of the official Google Play store) that may be used to spread Medusa.
  • If the infection is pervasive or persistent, the user may need to bring the device to a trusted resource, such as the store where purchased, to have the malware removed.
  • Back up important data and then perform a factory reset on the Android device to remove any other potential malware.

Recommendations post-infection (and for anyone wanting to avoid becoming a victim):

  • Immediately change all banking passwords and login credentials using strong, unique passcodes for each account.
  • Set up multi-factor authentication, if they haven’t already.
  • Monitor all financial accounts for suspicious activity and replace cards or account numbers if needed.
  • Keep devices’ operating systems and apps up to date by installing the latest security patches.
  • Consider installing a reputable mobile antivirus software for added protection.
  • Be extremely cautious about granting accessibility permissions to apps.
  • Stay vigilant for phishing attempts via texts or email. If unsure, contact a branch office to verify before clicking on a link or attachment.
  • Download apps only from official sources, like the Google Play store, and avoid what is called “sideloading” from unapproved distribution channels.

Building Trust in an Unsafe Cyber World

Dallas-based security researcher Aamir Lakhani believes banks and credit unions should take a more hands-on approach when protecting their users from cyber threats like Medusa, especially considering the widespread use of online and mobile banking today.

“Banks should be proactively reaching out to their customers to let them know not only about this attack but other types of attacks,” he says. “It’s the only way they’re going to get better at spotting fraudulent sites and apps.”

Lakhani says he recently visited a branch of a major bank and was pleasantly surprised to see lobby posters promoting cybersecurity best practices and technical support á la an Apple Store’s Genius Bar. “I remember thinking: This is super cool,” he says. “It’s demonstrating to customers that they are a partner in protecting your assets.”

He also cautioned iOS device users to not be complacent just because the Medusa banking trojan currently targets Android devices and not iPhones. “Medusa is really taking advantage of browser vulnerabilities in Chrome, and Chrome is essentially the default browser in the Android OS,” he says. “We shouldn’t be surprised if that methodology is adapted to other devices as well.”

Lakhani notes that both cybersecurity and financial industries are in the protection business. “It’s not just a place for people to put their money; it’s a place where they are comforted in feeling that money is safe. We shouldn’t shy away from reaching out to consumers and empowering them by providing information that they can use to do something as well.”

Dig deeper into fraud threats:

Medusa is Not Going Away Anytime Soon

As of mid-2024, the infection rate of the newest version of the Medusa banking trojan remained a significant concern worldwide. Cybersecurity experts anticipate Medusa will persist and possibly escalate, given its success in recent months. Meanwhile, cybercriminals are likely to continue enhancing the trojan’s capabilities, making it even more difficult to detect and remove.

“It’s a huge problem to try and stay on top of the latest threats,” Kirk admits. “I see these threats every day, so it’s at the forefront of my mind all the time. But most other people don’t think about it until they are actually scammed. Then you’d be amazed at how interested they are in this stuff, however niche it might be.”

Anne Saita is a San Diego-based freelance writer who has covered cybersecurity threats and solutions since 2000.

This article was originally published on . All content © 2024 by The Financial Brand and may not be reproduced by any means without permission.