fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Medusa Malware Ramps up Android SMS Phishing Attacks

Medusa Malware Ramps up Android SMS Phishing Attacks

The Medusa Android banking Trojan is seeing increased infection rates as it targets more geographic regions to steal online credentials and perform financial fraud.

Today, researchers at ThreatFabric have published a new report detailing the latest tricks employed by the Medusa malware and how it continues to evolve with new features.

Medusa on the rise

Medusa (aka TangleBot) is not a novel banking trojan, but it has seen increased distribution, with campaigns now targeting North America and Europe using the same distribution service as the notorious FluBot malware.

Also Read: PDPA compliance for Singapore schools

BleepingComputer previously reported that the Medusa and FluBot trojans had previously used ‘duckdns.org,’ a free dynamic DNS abused as a delivery mechanism, so this is not the first sign of overlap between the two.

In a new report by ThreatFabric, researchers have discovered that MedusaBot is now using the same service as FluBot to perform smishing (SMS phishing) campaigns.

“The samples seen in side-by-side campaigns with Cabassous are identified by the actors themselves with the tags FLUVOICE, FLUFLASH and FLUDHL (possibly as a reference to the corresponding Cabassous/Flubot campaigns),” ThreatFabric explains in their report.

The researchers believe that the Medusa threat actors began using this distribution service after seeing how widely spread and successful FluBot’s campaigns had become.

Medusa’s main strength lies in its abuse of the Android ‘Accessibility’ scripting engine, which enables actors to perform various actions as if they were the user. 

These actions are:

  • home_key – Performs HOME global action
  • ges – Executes a specified gesture on the screen of the device
  • fid_click – Clicks on the UI element with the specified ID
  • sleep – Sleeps (waits) for the specified number of microseconds
  • recent_key – Shows overview of the recent apps
  • scrshot_key – Performs TAKE_SCREENSHOT global action
  • notification_key – Opens the active notifications
  • lock_key – Locks the screen
  • back_key – Performs BACK global action
  • text_click – Clicks on the UI element that has specified text displayed
  • fill_text – Not implemented yet

All in all, it’s a highly capable banking trojan with keylogging features, live audio and video streaming, remote command execution options, and more.

Also Read: November 2021 PDPC Incidents and Undertaking: Lessons from the Cases

Manual input field changing
Manual input field changing
Source: ThreatFabric

ThreatFabric was able to gain access to the malware’s backend administration panel and found that its operators can edit any field on any banking app running on the device. This feature allows the malware to target almost any banking platform with fake phishing login forms to steal credentials.

Source: ThreatFabric

The malware is commonly distributed spoofed DHL or Purolator apps, but the researchers also saw packages masquerading as Android Update, Flash Player, Amazon Locker, and Video Player.

Fake DHL APKs all containing Medusa
Fake DHL APKs containing Medusa or Flubot (Cabassous)
Source: ThreatFabric

These APKs are manually installed by the victims themselves, who receive an SMS message with a URL leading to a site pushing the malicious Android app.

To prevent being infected by these malware infections, always treat strange URLs sent from your contact list as untrustworthy as they may have been sent by malware on the senders’ device.

As always, do not, under any circumstance, download APKs from unknown websites, as they invariably lead to malware infections.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us