Medusa and FluBot: bogus apps attacking your bank accounts?
Its name has been known since July 2020. The Medusa banking trojan (Trojan horse) is once again in the news following the publication of a study by ThreatFabric, spotted by the Presse-Citron website. In short, it is a computer program that hides behind a fake application in APK format, and which, once downloaded, allows the hackers who are at work to siphon off your bank accounts.
Contents
Beware of APK files
The Android operating system allows its users to free themselves from the Google Play Store to rummage on the Internet and find other applications. There, everyone can find the small digital boxes that are the APK (Android Package, equivalent of Windows EXE), which in fact contain all the files necessary to install an application. However, apart from the Play Store, these are not always secure and may contain malicious files.
This is what banking trojans such as “Medusa” or “FluBot” rely on, which have improved a lot since they were first spotted.
How does banking malware work?
“Medusa” hides in fake APK files that appear to be apps, with names like “DHL” or “Flash Player”. Once you have fallen into the trap, this malware will have the ability to siphon off your bank accounts by abusing the accessibility permissions of your other apps. This is made much easier thanks to his latest updates, which have armed him with a “semi-ats” ability or “automated transfer system”powered by a “accessibility scripting engine”. This system leverages Android’s Accessibility Service to allow attackers to take control of apps and perform actions on a victim’s device. Therefore, the victim’s smartphone can be both monitored and controlled by an external attacker.
But that’s not all, “Medusa has other dangerous features such as keystroke logging, accessibility event logging, and audio and video streaming. All of these capabilities allow for near-total access to the victim’s device.”
can also be read in the ThreatFabric study.
On the “FluBot” side, which spreads in the same way as “Medusa”, or through WhatsApp links, it is the new automatic response system of Android smartphones that is exploited. The authors of ThreatFabric explain that“With this feature, the malware can use a list of notification responses pulled from the hackers’ server and control center”. In other words, the hacker can confirm banking transactions by replying to the victim’s name.
An epidemic of computer viruses
ThreatFabric ensures that 1,784 devices were successfully infected with “Medusa”, in just 24 days. While it was most often spotted in Turkey, it has now spread to the United States and Canada. The study also confirms that 27 American banking applications, 17 Spanish banking applications and 15 Turkish banking applications were targeted by these campaigns.
So, if you don’t want to be bothered by this kind of malware, be careful what you download, the easiest way is to stick to the catalog of the Google Play Store and uninstall applications downloaded outside of the latter as soon as possible.
