Medusa malware variants targeting Android users across 7 countries

The Medusa banking trojan has resurfaced with new, more compact variants targeting Android users.

What happened?

The Medusa malware, also known as the Medusa banking trojan or TangleBot, has re-emerged with new variants targeting Android users in France, Italy, the United States, Canada, Spain, the United Kingdom, and Turkey. After maintaining a low profile for nearly a year, the malware has been active again since May 2024. These variants, which require fewer permissions and offer new features, attempt to initiate transactions directly from compromised devices. 

The recent campaigns were identified by Cleafy's threat intelligence team.

Go deeper: New Medusa malware variants target Android users in seven countries

Going deeper 

Originally discovered in 2020 as an Android malware-as-a-service (MaaS) operation, Medusa provides functionalities like keylogging, screen controls, and SMS manipulation.

Despite sharing its name, this operation is distinct from the Medusa ransomware gang and the Mirai-based botnet used for distributed denial-of-service (DDoS) attacks.

In the know

Malware-as-a-Service (MaaS) is a business model used by cybercriminals where malware is offered for sale or lease, often via online platforms. Similar to legitimate software-as-a-service (SaaS) models, MaaS allows individuals with limited technical skills to deploy sophisticated malware campaigns. Here are the key aspects of MaaS:

• Accessibility: MaaS platforms make it easier for less technically skilled individuals to carry out cyber attacks by providing user-friendly interfaces and support.
• Subscription models: MaaS often operates on a subscription basis, where customers pay a regular fee for continued access to the malware and updates.
• Customization: Customers can customize the malware to suit their specific needs, such as targeting particular systems, avoiding certain defenses, or including specific features.
• Support and services: Many MaaS providers offer customer support, including technical assistance, updates, and even tutorials or guides to help users deploy the malware effectively.
• Anonymity: These platforms often operate on the dark web, offering anonymity to both the providers and their customers, making it difficult for law enforcement to track them down.
• Scalability: MaaS allows cybercriminals to scale their operations quickly and efficiently, distributing their malware to a larger audience without needing to develop the malware themselves.

See also: HIPAA Compliant Email: The Definitive Guide

Why it matters

Malware-as-a-Service (MaaS) matters significantly in the context of the rise of Bring Your Own Device (BYOD) policies in organizations. BYOD allows employees to use their personal devices, such as smartphones, tablets, and laptops, for work purposes. While this practice offers various benefits, such as increased flexibility and reduced costs for employers, it also introduces several cybersecurity challenges that MaaS can exploit. Here’s why MaaS is particularly concerning with the rise of BYOD:

• Increased attack surface: BYOD policies expand the number of devices accessing corporate networks, increasing the potential entry points for cyberattacks. MaaS makes it easier for attackers to compromise these personal devices, which may not have the same level of security as corporate-managed devices.
• Inconsistent security practices: Personal devices used in a BYOD environment often lack uniform security controls. Employees might not follow best practices for securing their devices, making them more vulnerable to malware infections facilitated by MaaS.
• Data privacy risks: Compromised personal devices can lead to unauthorized access to sensitive corporate data. MaaS providers offer sophisticated malware that can steal data, perform keylogging, and manipulate communications, exacerbating the risk of data breaches in a BYOD setting.
• Difficulty in enforcement: It is challenging for organizations to enforce security policies uniformly across a diverse range of personal devices. MaaS exploits this inconsistency by providing tailored malware that can bypass weaker security measures on less protected devices.
• Rapid spread and evolution: MaaS platforms allow malware to be rapidly distributed and updated. This means that new variants can quickly adapt to bypass security measures, making it harder for organizations to defend against these threats in a BYOD environment.
• Lower barrier to entry for attackers: The ease of access to MaaS means that a wider range of cybercriminals, including those with limited technical skills, can launch sophisticated attacks. This increases the overall volume and diversity of threats targeting personal devices used in BYOD setups.

FAQs

What is BYOD?

Bring Your Own Device (BYOD) is a policy where employees are allowed to use their personal devices, such as smartphones, tablets, and laptops, for work-related activities.

What are the main security challenges of BYOD?

The main security challenges include managing a diverse range of devices, ensuring consistent security practices, protecting sensitive corporate data, and dealing with potential malware infections.

How can organizations ensure the security of personal devices in a BYOD setup?

Organizations can implement mobile device management (MDM) solutions, enforce strong password policies, require the use of security software, provide regular cybersecurity training, and establish clear BYOD policies.

Go deeper: Best practices for implementing a secure BYOD policy

What should employees do to secure their personal devices used for work?

Employees should keep their devices updated with the latest security patches, use strong passwords, install reputable security software, avoid downloading suspicious apps, and follow the organization's security policies and guidelines.

See also: How to separate work and personal data when using your own devices