Cyber Security News

Medusa Android Banking Trojan Attacks Users to Steal Online Credentials & Perform Financial Fraud

Medusa is a mobile threat, and it is being distributed via SMS-phishing infrastructure. The operators of this banking trojan are attacking the users to steal online credentials and perform financial fraud.

However, this banking trojan attack has been detected by the cybersecurity researchers of ThreatFabric. And they have stated this threat attack is similar to Flubot, which is Android spyware, and this type of attack creates a lot of damage; that’s why we can say that it initiate high-volume side-by-side campaigns.

Medusa on the Rise

After doing a proper analysis, it has been claimed that Medusa is also known as TangleBot, and they have noticed a huge increase in its distribution.

However, the hackers of this Banking trojan are continuously targetting users from:-

  • North America
  • Europe

And the threat actors are using these similar distribution services that have been used in FluBot malware.

Moreover, the researchers have used the free dynamic DNS that are It’s quite similar to the FluBot malware; therefore, it’s not the first time for experts to encounter such a cybersecurity attack and trojan.

And apart from this, the researchers also claimed that the operators of Medusa are using a similar distribution service like FluBot because they know how widely this technique gets spread.


Moreover, the security experts have detected some actions that we have mentioned below:-

  • home_key – Performs HOME global action
  • ges – Executes a specified gesture on the screen of the device
  • fid_click – Clicks on the UI element with the specified ID
  • sleep – Sleeps (waits) for the specified number of microseconds
  • recent_key – Shows overview of the recent apps
  • scrshot_key – Performs TAKE_SCREENSHOT global action
  • notification_key – Opens the active notifications
  • lock_key – Locks the screen
  • back_key – Performs BACK global action
  • text_click – Clicks on the UI element that has specified text displayed
  • fill_text – Not implemented yet

Cabassous in charge

This is not the first time the experts are dealing with such attacks. However, a very new version of FluBot has been detected that is known as Cabassous.

This time the operators have implemented a new feature that is Directly Reply to every type of push notification. Moreover, Cabassous is the very first banking Trojan that uses Android Nougat’s direct reply feature.

Not only this, but this specific malware provides C2 supplied responses to notification of the targeted application, and that is also in the targetted victim’s device.

To stay protected from these kinds of malware infections, users must always treat strange URLs sent from their contact list as untrustworthy because these kinds of URLs were being sent by malware on the victim’s device.

Guru Baran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Recent Posts

Hackers Leveraging New Social Engineering To Run PowerShell And Install Malware

Hackers use social engineering as it focuses on the psychological rather than technological aspects of…

2 hours ago

Hackers Attacking Hotel Owners & Employees as Potential Guests

Since last summer, hotel owners and employees have grappled with a surge in malicious e-mails…

2 hours ago

New OPIX Ransomware Encrypting Files With Random Character String

A recently identified ransomware variant dubbed OPIX encrypts user files using a random character string…

3 hours ago

Empire Market Founders Charged for Operating $430 Million Dark Web Marketplace

Two men have been charged in federal court in Chicago with operating “Empire Market,” a…

4 hours ago

Multiple VMware vCenter Server Flaws Allow Remote Code Execution

VMware has released a critical security advisory, VMSA-2024-0012, addressing multiple vulnerabilities in VMware vCenter Server,…

5 hours ago

Chinese Threat Actors Hacking F5 Load Balancers for Last Two Years

Hackers often focus on F5 Load Balancers for several reasons, as these are many enterprise…

6 hours ago