Medusa malware was initially identified in June 2020, as a strain of Android Banking Trojan. In a recent campaign, Researchers observed the Medusa malware targeting Canadian residents.
Medusa collects personal information, creates an overlay, and steals credentials based on the Threat Actor’s (TA) commands from the Command and Control (C&C) Server. Previously, this malware was infecting systems through droppers posing as legitimate apps from official stores. However, in this instance, the delivery mechanism is different.
In a recent Twitter post, a researcher informed the community that Medusa is spreading through a website posing as the official Canadian Government COVID-19 portal. The researcher noted that when the website was accessed through mobile phones, the malware delivers a fake Flash Player app.
Additionally, the page displays the instructions to install the downloaded app, as shown in Figure 1. The researcher also mentioned that when the page was accessed from sources other than mobile phones, it redirects visitors to Canada’s official COVID-19 page.
Malicious URL: hxxps://covid19-ca[.]link/Flash_Player.apk
Cyble Research Labs has collected samples of Medusa malware and performed a detailed analysis. Based on this analysis, the team found that Medusa uses anti-analysis and security evasion techniques as detailed in our full analysis below.
The Medusa malware sample shares the same icon of the Flash Player app, as shown in the figure below.
APK Metadata Information
APK File Info
- APP Name: Flash Player
- Package Name: com.ltrmht.nfzyqttg
- SHA256: 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792
APK’s Manifest File Description
The fake app requests 40 permissions, out of which the malware can leverage 20 permissions to collect victims’ personal information, steal credentials, etc. These dangerous permissions are listed in the table below.
|ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION||Access device location (with the help of GPS and Phone network)|
|ANSWER_PHONE_CALLS||Allows the app to answer the phone call|
|CAMERA||Access device’s camera|
|GET_TASKS||Fetch currently running apps and processes|
|READ_CONTACTS||Access to phone contacts|
|READ_EXTERNAL_STORAGE||Access device external storage|
|WRITE_EXTERNAL_STORAGE||Modify device external storage|
|READ_PHONE_STATE||Access phone state and information|
|RECORD_AUDIO||Allows to record audio using device microphone|
|CALL_PHONE||Perform call without user intervention|
|READ_SMS||Access user’s SMSs stored in the device|
|REQUEST_INSTALL_PACKAGES||Install applications without user interaction|
|RECEIVE_SMS||Fetch and process SMS messages|
|SEND_SMS||Allows the app to send SMS messages|
|SYSTEM_ALERT_WINDOW||Allows to display system alerts over other apps|
|WRITE_SMS||Modify or Delete SMSs Stored in Database|
|BIND_ACCESSIBILITY_PERMISSION||Allows to access device’s Accessibility Service|
|BIND_DEVICE_ADMIN||Allows the app to act as Admin App|
Table 1: Permission List
The malware has requested two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.
Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.
Malware authors abuse this service to intercept and monitor all activities happening on the device screen. An example of this activity is the ability to intercept the credentials utilized by users on any app on the affected device.
BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Medusa abuses this permission to lock the device, reset the screen lock PIN, etc.
Upon inspecting the APK’s manifest file, we found three entry points classes of the application:
- com.apple.iphoneeveni.p: The class executes first when the user starts the app from the device screen. com.apple.iphoneeveni.p is the application subclass. Refer Figure 3.
- com.ltrmht.nfzyqttg.MainActivity: The activity class which executes and displays the starting page of the app.
- com.ltrmht.nfzyqttg.Receiver.BootReceiver: The receiver class which executes upon device reboot.
Other Android component classes in the APK’s manifest include com.ltrmht.nfzyqttg.VNCActivity, com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.
Upon decompiling the APK, we observed that the malware is missing some classes, such as the ones mentioned above. As shown in the figure below, the package related to the classes is missing from the application packages list.
We also found that the APK contains only the application subclass. The rest of the classes in the manifest are not present in the APK, as shown in the previous figure.
Some of the other missing classes are listed in the table below.
|Missing Class Names|
Table 2: Missing Classes Subset List
Upon installing the application, Medusa malware displays the YouTube icon on the device’s home screen, as shown in Figure 5.
After starting the application, the malware requests the user to enable Accessibility permission. Once this permission is enabled, the trojan enables all the requested permissions, including BIND_DEVICE_ADMIN, without user interaction. The malware’s behavior is explained below.
We also observed that the malware hides its icon after launch.
Source Code Analysis
Our source code investigation shows that the malware uses a custom packer software that decrypts a DEX file from a file in the assets folder. Upon completing a reverse-engineering procedure, we found the code used to decrypt the DEX file. This code is shown in the figure below.
With the help of the code shown above, we decrypted the DEX file. Upon inspecting the DEX file, we observed that the file contains all the missing classes mentioned in Table 2.
Hash of the DEX file: f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4
Upon analyzing the unpacked DEX file, we observed that the malware uses complex obfuscation techniques to hide the malicious behavior from static analysis.
Based on the results of our analysis, we concluded that in the post-infection phase, Medusa malware collects personal information such as Contacts, SMS, Application List, Location, etc. For example, the figure below shows the code collecting contacts.
The malware collects information, such as:
- Installed applications list
- Location information
- Device hardware information
- Log battery variations
- Log screen status
The malware also has the capability to perform other malicious activities, such as:
- Audio spying using device microphone
- Send SMS to a phone number provided by TA
- Steal data by injecting code
- Steal OTP credentials using SMS listener
- Initiate phone call
- Perform screen lock
- Initiate Virtual Network Computing (VNC) Connection with the TA
- Modify audio settings
Medusa malware locks the device’s screen with the help of DEVICE_ADMIN permission. Figure 8 shows the code locking the device’s screen.
The fake app also monitors and collects clipboard data from the infected device. Figure 9 has the code used to monitor the clipboard.
Figure 10 shows the code to send an SMS message to the number provided by TA.
Medusa also allows the TA to connect to the victim’s device using VNC.
Medusa abuses the Accessibility Service to monitor the device screen and collect screen information such as credentials, user activities, etc.
The trojan also enables all the permissions requested by the application. The details are shown in the previous section. We also observed that the malware could restrict users from uninstalling the app or changing the permissions from the Settings app. Additionally, the malware performs a back action when users access the Settings app as shown in the below figure.
C&C server and Commands
Medusa collects all the information mentioned above and uploads it to the C&C server based on the commands from TA. The malware performs these activities on a background service class called com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.
Initially, the malware contacts a Telegram bot and retrieves the C&C server URL as encoded upon starting the trojan. The Telegram bot’s URL is hxxps://t[.]me/jjjsdjghjhg
The response from the Telegram bot is shown in the figure below.
Upon investigation, we found that the TA has encoded the C&C URL with Base64 and custom encoding. Figure 14 shows the code used by the malware to decode the TA-provided encoded URL.
C&C Server URL: sock.godforgiveuss[.]live:20027
A subset of commands used by Medusa is listed in the table below.
|keylog||Start key logging|
|sendsms||Send SMS to a number provided by TA|
|getcontacts||Collect and upload contacts from victim’s device|
|lockscr||Lock victim’s device screen|
|updateinfo||Update Device Info|
|call||Initiate a call without victim’s interaction|
|cmdex||Execute Command provided by TA|
Table 3: Subset of C&C Command List
The code used to check the command and perform actions is shown in the below figure.
As covered in prior Cyble blogs, we have observed an increase in the number of Android Banking Trojans recently. We’ve also noticed that malware authors have been utilizing cutting-edge technology to steal information and money from their victims. These TAs are also incorporating new obfuscation techniques to evade detection. The use of Medusa malware is the latest example of this change in trends.
Medusa and similar trojans can be avoided by following some basic cyber hygiene practices on mobile devices.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
- Use shared IoCs to monitor and block malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Operating System and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
|Tactic||Technique ID||Technique Name|
|Defense Evasion||T1406||Obfuscated Files or Information|
|T1444||Masquerade as Legitimate Application|
|Credential Access||T1412||Capture SMS Messages|
|T1409||Access Stored Application Data|
|Discovery||T1421||System Network Connections Discovery|
|Collection||T1507||Network Information Discovery|
|T1412||Capture SMS Messages|
|T1432||Access Contact List|
|Command and Control||T1571||Non-Standard Port|
|Impact||T1447||Delete Device Data|
Indicators of Compromise (IoCs):
|368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792||SHA256||Hash of the APK1 sample|
|3fbcf74876ae8d6845d93be6fd747a7cc38afda00bb650443d3d52281535888b||SHA256||Hash of the second APK sample|
|f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4||SHA256||Hash of the Unpacked DEX File in APK1|
|9077ea927804e596ebc4500841a8066f7740b4c0bc89206672642879f1935e1e||SHA256||Hash of the Unpacked DEX File in APK2|
|hxxps://covid19-ca[.]link/||URL||Phishing page used to deliver APK|
|hxxps://t[.]me/jjjsdjghjhg||URL||Telegram Bot URL to deliver C&C URL|
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.