Two different Android banking Trojans, FluBot and Medusa, are relying on the same delivery vehicle as part of a simultaneous attack campaign, according to new research published by ThreatFabric.
The ongoing side-byside infections were facilitated by the same SMS phishing infrastructure. It involved the overlap of “app names”, package names and similar icons, the Dutch mobile security company said.
Medusa, first discovered targeting Turkish financial organizations in July 2020, has undergone several iterations, chief among which is the ability to abuse accessibility permissions in Android to siphon funds from banking apps to an account controlled by the attacker.
“Medusa sports other dangerous features like keylogging, accessibility event logging, and audio and video streaming — all these capabilities provide actors with almost full access to [a] victim’s device,” the researchers said.
The malware-ridden apps used in conjunction with FluBot masquerade as DHL and Flash Player apps to infect the devices. In addition, recent attacks involving Medusa have expanded their focus beyond Turkey to include Canada and the U.S., with the operators maintaining multiple botnets for each of its campaigns.
FluBot (aka Cabassous), for its part, has received a novel upgrade of its own: the ability to intercept and potentially manipulate notifications from targeted applications on a victim’s Android device by leveraging the direct reply action, alongside auto-replying to messages from apps like WhatsApp to spread phishing links in a worm-like fashion.
“This functionality allows this malware to respond [command-and-control server] to notifications of targeted apps on the victim’s device.” Researchers said that the technology “can be used to create fraudulent transactions for the victim by actors.” “
This is not the first time Android malware has been found to propagate by creating auto-replies to messages in WhatsApp. ESET and Check Point Research discovered rogue applications posing to be Huawei Mobile or Netflix, which used the same method of attack.
” More actors are following Cabassous’ success with distribution techniques, appropriating disguised techniques and using the same distributor service,” researchers stated. Cabassous is constantly evolving and adding new features to make it possible for on-device fraud. “