Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric.
The ongoing side-by-side infections, facilitated through the same smishing (SMS phishing) infrastructure, involved the overlapping usage of “app names, package names, and similar icons,” the Dutch mobile security firm said.
Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker.
“Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim’s device,” the researchers said.
The malware-ridden apps used in conjunction with FluBot masquerade as DHL and Flash Player apps to infect the devices. In addition, recent attacks involving Medusa have expanded their focus beyond Turkey to include Canada and the U.S., with the operators maintaining multiple botnets for each of its campaigns.
FluBot (aka Cabassous), for its part, has received a novel upgrade of its own: the ability to intercept and potentially manipulate notifications from targeted applications on a victim’s Android device by leveraging the direct reply action, alongside auto-replying to messages from apps like WhatsApp to spread phishing links in a worm-like fashion.
“With this functionality, this malware is able to provide [command-and-control server] supplied responses to notifications of targeted applications on the victim’s device,” the researchers said, adding the functionality “can be used by actors to sign fraudulent transactions on victim’s behalf.”
This is not the first time Android malware has been found to propagate by creating auto-replies to messages in WhatsApp. Last year, ESET and Check Point Research uncovered rogue apps posing as Huawei Mobile and Netflix that employed the same modus operandi to perform the wormable attacks.
“More and more actors follow Cabassous’ success in distribution tactics, appropriating masquerading techniques, and using the same distribution service,” the researchers said. “At the same time, Cabassous keeps evolving, introducing new features and making another step towards being able to perform on-device fraud.”