Medusa Android banking Trojan

Medusa is a mobile threat, and it is being distributed via SMS-phishing infrastructure. The operators of this banking trojan are attacking the users to steal online credentials and perform financial fraud.

However, this banking trojan attack has been detected by the cybersecurity researchers of ThreatFabric. And they have stated this threat attack is similar to Flubot, which is Android spyware, and this type of attack creates a lot of damage; that’s why we can say that it initiate high-volume side-by-side campaigns.

Medusa on the Rise

After doing a proper analysis, it has been claimed that Medusa is also known as TangleBot, and they have noticed a huge increase in its distribution.

However, the hackers of this Banking trojan are continuously targetting users from:-

  • North America
  • Europe

And the threat actors are using these similar distribution services that have been used in FluBot malware.

Moreover, the researchers have used the free dynamic DNS that are It’s quite similar to the FluBot malware; therefore, it’s not the first time for experts to encounter such a cybersecurity attack and trojan.

And apart from this, the researchers also claimed that the operators of Medusa are using a similar distribution service like FluBot because they know how widely this technique gets spread.


Moreover, the security experts have detected some actions that we have mentioned below:-

  • home_key – Performs HOME global action
  • ges – Executes a specified gesture on the screen of the device
  • fid_click – Clicks on the UI element with the specified ID
  • sleep – Sleeps (waits) for the specified number of microseconds
  • recent_key – Shows overview of the recent apps
  • scrshot_key – Performs TAKE_SCREENSHOT global action
  • notification_key – Opens the active notifications
  • lock_key – Locks the screen
  • back_key – Performs BACK global action
  • text_click – Clicks on the UI element that has specified text displayed
  • fill_text – Not implemented yet

Cabassous in charge

This is not the first time the experts are dealing with such attacks. However, a very new version of FluBot has been detected that is known as Cabassous.

This time the operators have implemented a new feature that is Directly Reply to every type of push notification. Moreover, Cabassous is the very first banking Trojan that uses Android Nougat’s direct reply feature.

Not only this, but this specific malware provides C2 supplied responses to notification of the targeted application, and that is also in the targetted victim’s device.

To stay protected from these kinds of malware infections, users must always treat strange URLs sent from their contact list as untrustworthy because these kinds of URLs were being sent by malware on the victim’s device.

Gurubaran is a Security Consultant, Security Editor & Co-Founder of Cyber Security News & GBHackers On Security.