Medusa is a banking trojan that started out in July 2020. During the summer of that year, new campaigns from this family were detected, although new samples were no longer seen after September.
However, since May 2021, several new samples of this family have been detected that maintain the main functionality of the trojan, but that reactivate its activity.
However, it will be important to closely monitor the evolution of this family, since in the future it could introduce important developments that improve the theft of credentials and private information from its victims.
Like most Android banking trojans, Medusa tries to get as much data as possible from the infected device, in addition to banking credentials. The theft of text messages helps attackers to carry out fraud after the theft of credentials, while the theft of the contact list enables distribution in new campaigns through spam.
Medusa takes advantage of several social networks such as Telegram, ICQ or Twitter to store the address of the control server to which the trojan must connect.
In this way, the attacker can update the control server without any major difficulties, since the trojan will consult the new address by accessing the different social network profiles included in the sample code. This also is nothing new, as Anubis Bankbot has already been using this system for quite some time.
For the time being, only Turkish banking entities have been observed among those that are affected, although the attackers behind this malware could begin to include new entities in search of an expansion to new countries.