Medusa Malware Spreading Via Fake Canadian Government Covid-19 portal

Medusa malware was initially identified in June 2020, as a strain of Android Banking Trojan. In a recent campaign, Researchers observed the Medusa malware targeting Canadian residents.

Medusa collects personal information, creates an overlay, and steals credentials based on the Threat Actor’s (TA) commands from the Command and Control (C&C) Server. Previously, this malware was infecting systems through droppers posing as legitimate apps from official stores. However, in this instance, the delivery mechanism is different.

In a recent Twitter post, a researcher informed the community that Medusa is spreading through a website posing as the official Canadian Government COVID-19 portal. The researcher noted that when the website was accessed through mobile phones, the malware delivers a fake Flash Player app.

Additionally, the page displays the instructions to install the downloaded app, as shown in Figure 1. The researcher also mentioned that when the page was accessed from sources other than mobile phones, it redirects visitors to Canada’s official COVID-19 page.

Malicious URL: hxxps://covid19-ca[.]link/Flash_Player.apk

Figure 1: Fake page in Mobile Device deliver Fake Flash Player app (Ref: Twitter Post)

Cyble Research Labs has collected samples of Medusa malware and performed a detailed analysis. Based on this analysis, the team found that Medusa uses anti-analysis and security evasion techniques as detailed in our full analysis below.

Technical Analysis

The Medusa malware sample shares the same icon of the Flash Player app, as shown in the figure below.

Figure 2: APK Metadata Info

APK Metadata Information

APK File Info

  • APP Name: Flash Player
  • Package Name: com.ltrmht.nfzyqttg
  • SHA256: 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792

APK’s Manifest File Description

The fake app requests 40 permissions, out of which the malware can leverage 20 permissions to collect victims’ personal information, steal credentials, etc. These dangerous permissions are listed in the table below.

Permission NameDescription
ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATIONAccess device location (with the help of GPS and Phone network)
ANSWER_PHONE_CALLSAllows the app to answer the phone call
CAMERAAccess device’s camera
GET_TASKSFetch currently running apps and processes
READ_CONTACTSAccess to phone contacts
READ_EXTERNAL_STORAGEAccess device external storage
WRITE_EXTERNAL_STORAGEModify device external storage
READ_PHONE_STATE Access phone state and information
RECORD_AUDIOAllows to record audio using device microphone
CALL_PHONEPerform call without user intervention
READ_SMSAccess user’s SMSs stored in the device
REQUEST_INSTALL_PACKAGESInstall applications without user interaction
RECEIVE_SMSFetch and process SMS messages
SEND_SMSAllows the app to send SMS messages
SYSTEM_ALERT_WINDOWAllows to display system alerts over other apps
WRITE_SMSModify or Delete SMSs Stored in Database
BIND_ACCESSIBILITY_PERMISSIONAllows to access device’s Accessibility Service
BIND_DEVICE_ADMINAllows the app to act as Admin App

Table 1: Permission List

The malware has requested two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.

Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.

Malware authors abuse this service to intercept and monitor all activities happening on the device screen. An example of this activity is the ability to intercept the credentials utilized by users on any app on the affected device.

BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Medusa abuses this permission to lock the device, reset the screen lock PIN, etc.

Upon inspecting the APK’s manifest file, we found three entry points classes of the application:

  1. The class executes first when the user starts the app from the device screen. is the application subclass. Refer Figure 3.
Figure 3: Code in Application Subclass

  • com.ltrmht.nfzyqttg.MainActivity: The activity class which executes and displays the starting page of the app.
  • com.ltrmht.nfzyqttg.Receiver.BootReceiver: The receiver class which executes upon device reboot.

Other Android component classes in the APK’s manifest include com.ltrmht.nfzyqttg.VNCActivity, com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.

Upon decompiling the APK, we observed that the malware is missing some classes, such as the ones mentioned above.  As shown in the figure below, the package related to the classes is missing from the application packages list.

Figure 4: Classes Missing in APK

We also found that the APK contains only the application subclass. The rest of the classes in the manifest are not present in the APK, as shown in the previous figure.

Some of the other missing classes are listed in the table below.

Missing Class Names
com.ltrmht.nfzyqttg. InjectionHtmlActivity

Table 2: Missing Classes Subset List

Initial Behavior

Upon installing the application, Medusa malware displays the YouTube icon on the device’s home screen, as shown in Figure 5.

After starting the application, the malware requests the user to enable Accessibility permission. Once this permission is enabled, the trojan enables all the requested permissions, including BIND_DEVICE_ADMIN, without user interaction. The malware’s behavior is explained below.

Figure 5: Malware behavior before and after starting the app

We also observed that the malware hides its icon after launch.

Source Code Analysis

Our source code investigation shows that the malware uses a custom packer software that decrypts a DEX file from a file in the assets folder. Upon completing a reverse-engineering procedure, we found the code used to decrypt the DEX file. This code is shown in the figure below.

Figure 6: Code to decrypt the embedded DEX File

With the help of the code shown above, we decrypted the DEX file. Upon inspecting the DEX file, we observed that the file contains all the missing classes mentioned in Table 2.

Hash of the DEX file: f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4

Upon analyzing the unpacked DEX file, we observed that the malware uses complex obfuscation techniques to hide the malicious behavior from static analysis.

Based on the results of our analysis, we concluded that in the post-infection phase, Medusa malware collects personal information such as Contacts, SMS, Application List, Location, etc. For example, the figure below shows the code collecting contacts.

Figure 7: Code to Collect Contacts

The malware collects information, such as:

  • Contacts
  • SMSs
  • Installed applications list
  • Location information
  • Device hardware information
  • Log battery variations
  • Log screen status

The malware also has the capability to perform other malicious activities, such as:

  • Audio spying using device microphone
  • Send SMS to a phone number provided by TA
  • Steal data by injecting code
  • Steal OTP credentials using SMS listener
  • Initiate phone call
  • Perform screen lock
  • Initiate Virtual Network Computing (VNC) Connection with the TA
  • Modify audio settings

Medusa malware locks the device’s screen with the help of DEVICE_ADMIN permission. Figure 8 shows the code locking the device’s screen.

Figure 8: Code to Lock Device

The fake app also monitors and collects clipboard data from the infected device. Figure 9 has the code used to monitor the clipboard.

Figure 9: Code to monitor Clipboard Data

Figure 10 shows the code to send an SMS message to the number provided by TA.

Figure 10: Code to Send SMS

Medusa also allows the TA to connect to the victim’s device using VNC.

Accessibility Abuse

Medusa abuses the Accessibility Service to monitor the device screen and collect screen information such as credentials, user activities, etc.

The trojan also enables all the permissions requested by the application. The details are shown in the previous section. We also observed that the malware could restrict users from uninstalling the app or changing the permissions from the Settings app. Additionally, the malware performs a back action when users access the Settings app as shown in the below figure.

Figure 12: Code to modify input fields

C&C server and Commands

Medusa collects all the information mentioned above and uploads it to the C&C server based on the commands from TA. The malware performs these activities on a background service class called com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.

Initially, the malware contacts a Telegram bot and retrieves the C&C server URL as encoded upon starting the trojan. The Telegram bot’s URL is hxxps://t[.]me/jjjsdjghjhg

The response from the Telegram bot is shown in the figure below.

Figure 13: Telegram Response with C&C URL

Upon investigation, we found that the TA has encoded the C&C URL with Base64 and custom encoding. Figure 14 shows the code used by the malware to decode the TA-provided encoded URL.

Figure 14: Code to decrypt C&C URL

C&C Server URL: sock.godforgiveuss[.]live:20027

A subset of commands used by Medusa is listed in the table below.

keylogStart key logging
sendsmsSend SMS to a number provided by TA
getcontactsCollect and upload contacts from victim’s device
lockscrLock victim’s device screen
updateinfoUpdate Device Info
callInitiate a call without victim’s interaction
cmdexExecute Command provided by TA

Table 3: Subset of C&C Command List

The code used to check the command and perform actions is shown in the below figure.

Figure 15:Code to check C&C command and perform malicious activity


As covered in prior Cyble blogs, we have observed an increase in the number of Android Banking Trojans recently. We’ve also noticed that malware authors have been utilizing cutting-edge technology to steal information and money from their victims. These TAs are also incorporating new obfuscation techniques to evade detection. The use of Medusa malware is the latest example of this change in trends.

Medusa and similar trojans can be avoided by following some basic cyber hygiene practices on mobile devices.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

  1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
  2. Use shared IoCs to monitor and block malware infection. 
  3. Keep your anti-virus software updated to detect and remove malicious software. 
  4. Keep your Operating System and applications updated to the latest versions. 
  5. Use strong passwords and enable two-factor authentication.
  6. Download and install software only from registered app stores.

MITRE ATT&CK® Techniques

Tactic Technique ID Technique Name
Defense EvasionT1406Obfuscated Files or Information
T1444  Masquerade as Legitimate Application
Credential AccessT1412Capture SMS Messages
T1409Access Stored Application Data
 DiscoveryT1421   System Network Connections Discovery
T1430Location Tracking
T1424Process Discovery
T1418Application Discovery
 CollectionT1507 Network Information Discovery
T1412Capture SMS Messages
T1432Access Contact List
T1429Capture Audio
Command and ControlT1571Non-Standard Port
T1573Encrypted Channel
ImpactT1447Delete Device Data

Indicators of Compromise (IoCs):  

IndicatorsIndicator typeDescription
368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792SHA256Hash of the APK1 sample
3fbcf74876ae8d6845d93be6fd747a7cc38afda00bb650443d3d52281535888bSHA256Hash of the second APK sample
f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4SHA256Hash of the Unpacked DEX File in APK1
9077ea927804e596ebc4500841a8066f7740b4c0bc89206672642879f1935e1eSHA256Hash of the Unpacked DEX File in APK2
hxxps://covid19-ca[.]link/URLPhishing page used to deliver APK
hxxps://t[.]me/jjjsdjghjhgURLTelegram Bot URL to deliver C&C URL
sock.godforgiveuss[.]live:20027URLC&C URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

%d bloggers like this: