Medusa malware was initially identified in June 2020, as a strain of Android Banking Trojan. In a recent campaign, Researchers observed the Medusa malware targeting Canadian residents.

Medusa collects personal information, creates an overlay, and steals credentials based on the Threat Actor’s (TA) commands from the Command and Control (C&C) Server. Previously, this malware was infecting systems through droppers posing as legitimate apps from official stores. However, in this instance, the delivery mechanism is different.

In a recent Twitter post, a researcher informed the community that Medusa is spreading through a website posing as the official Canadian Government COVID-19 portal. The researcher noted that when the website was accessed through mobile phones, the malware delivers a fake Flash Player app.

Additionally, the page displays the instructions to install the downloaded app, as shown in Figure 1. The researcher also mentioned that when the page was accessed from sources other than mobile phones, it redirects visitors to Canada’s official COVID-19 page.

Malicious URL: hxxps://covid19-ca[.]link/Flash_Player.apk

Cyble Research Labs has collected samples of Medusa malware and performed a detailed analysis. Based on this analysis, the team found that Medusa uses anti-analysis and security evasion techniques as detailed in our full analysis below.

Technical Analysis

The Medusa malware sample shares the same icon of the Flash Player app, as shown in the figure below.

APK Metadata Information

APK File Info

• APP Name: Flash Player
• Package Name: com.ltrmht.nfzyqttg
• SHA256: 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792

APK’s Manifest File Description

The fake app requests 40 permissions, out of which the malware can leverage 20 permissions to collect victims’ personal information, steal credentials, etc. These dangerous permissions are listed in the table below.

Permission Name	Description
ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION	Access device location (with the help of GPS and Phone network)
ANSWER_PHONE_CALLS	Allows the app to answer the phone call
CAMERA	Access device’s camera
GET_TASKS	Fetch currently running apps and processes
READ_CONTACTS	Access to phone contacts
READ_EXTERNAL_STORAGE	Access device external storage
WRITE_EXTERNAL_STORAGE	Modify device external storage
READ_PHONE_STATE	Access phone state and information
RECORD_AUDIO	Allows to record audio using device microphone
CALL_PHONE	Perform call without user intervention
READ_SMS	Access user’s SMSs stored in the device
REQUEST_INSTALL_PACKAGES	Install applications without user interaction
RECEIVE_SMS	Fetch and process SMS messages
SEND_SMS	Allows the app to send SMS messages
SYSTEM_ALERT_WINDOW	Allows to display system alerts over other apps
WRITE_SMS	Modify or Delete SMSs Stored in Database
BIND_ACCESSIBILITY_PERMISSION	Allows to access device’s Accessibility Service
BIND_DEVICE_ADMIN	Allows the app to act as Admin App

Table 1: Permission List

The malware has requested two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.

Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.

Malware authors abuse this service to intercept and monitor all activities happening on the device screen. An example of this activity is the ability to intercept the credentials utilized by users on any app on the affected device.

BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Medusa abuses this permission to lock the device, reset the screen lock PIN, etc.

Upon inspecting the APK’s manifest file, we found three entry points classes of the application:

1. com.apple.iphoneeveni.p: The class executes first when the user starts the app from the device screen. com.apple.iphoneeveni.p is the application subclass. Refer Figure 3.

• com.ltrmht.nfzyqttg.MainActivity: The activity class which executes and displays the starting page of the app.
• com.ltrmht.nfzyqttg.Receiver.BootReceiver: The receiver class which executes upon device reboot.

Other Android component classes in the APK’s manifest include com.ltrmht.nfzyqttg.VNCActivity, com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.

Upon decompiling the APK, we observed that the malware is missing some classes, such as the ones mentioned above.  As shown in the figure below, the package related to the classes is missing from the application packages list.

We also found that the APK contains only the application subclass. The rest of the classes in the manifest are not present in the APK, as shown in the previous figure.

Some of the other missing classes are listed in the table below.

Missing Class Names

com.ltrmht.nfzyqttg.MainActivity

com.ltrmht.nfzyqttg.Receiver.BootReceiver

com.ltrmht.nfzyqttg.VNCActivity

com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService

com.ltrmht.nfzyqttg. InjectionHtmlActivity

Table 2: Missing Classes Subset List

Initial Behavior

Upon installing the application, Medusa malware displays the YouTube icon on the device’s home screen, as shown in Figure 5.

After starting the application, the malware requests the user to enable Accessibility permission. Once this permission is enabled, the trojan enables all the requested permissions, including BIND_DEVICE_ADMIN, without user interaction. The malware’s behavior is explained below.

We also observed that the malware hides its icon after launch.

Source Code Analysis

Our source code investigation shows that the malware uses a custom packer software that decrypts a DEX file from a file in the assets folder. Upon completing a reverse-engineering procedure, we found the code used to decrypt the DEX file. This code is shown in the figure below.

With the help of the code shown above, we decrypted the DEX file. Upon inspecting the DEX file, we observed that the file contains all the missing classes mentioned in Table 2.

Hash of the DEX file: f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4

Upon analyzing the unpacked DEX file, we observed that the malware uses complex obfuscation techniques to hide the malicious behavior from static analysis.

Based on the results of our analysis, we concluded that in the post-infection phase, Medusa malware collects personal information such as Contacts, SMS, Application List, Location, etc. For example, the figure below shows the code collecting contacts.

The malware collects information, such as:

• Contacts
• SMSs
• Installed applications list
• Location information
• Device hardware information
• Log battery variations
• Log screen status

The malware also has the capability to perform other malicious activities, such as:

• Audio spying using device microphone
• Send SMS to a phone number provided by TA
• Steal data by injecting code
• Steal OTP credentials using SMS listener
• Initiate phone call
• Perform screen lock
• Initiate Virtual Network Computing (VNC) Connection with the TA
• Modify audio settings

Medusa malware locks the device’s screen with the help of DEVICE_ADMIN permission. Figure 8 shows the code locking the device’s screen.

The fake app also monitors and collects clipboard data from the infected device. Figure 9 has the code used to monitor the clipboard.

Figure 10 shows the code to send an SMS message to the number provided by TA.

Medusa also allows the TA to connect to the victim’s device using VNC.

Accessibility Abuse

Medusa abuses the Accessibility Service to monitor the device screen and collect screen information such as credentials, user activities, etc.

The trojan also enables all the permissions requested by the application. The details are shown in the previous section. We also observed that the malware could restrict users from uninstalling the app or changing the permissions from the Settings app. Additionally, the malware performs a back action when users access the Settings app as shown in the below figure.

C&C server and Commands

Medusa collects all the information mentioned above and uploads it to the C&C server based on the commands from TA. The malware performs these activities on a background service class called com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.

Initially, the malware contacts a Telegram bot and retrieves the C&C server URL as encoded upon starting the trojan. The Telegram bot’s URL is hxxps://t[.]me/jjjsdjghjhg

The response from the Telegram bot is shown in the figure below.

Upon investigation, we found that the TA has encoded the C&C URL with Base64 and custom encoding. Figure 14 shows the code used by the malware to decode the TA-provided encoded URL.

C&C Server URL: sock.godforgiveuss[.]live:20027

A subset of commands used by Medusa is listed in the table below.

Command	Description
keylog	Start key logging
sendsms	Send SMS to a number provided by TA
getcontacts	Collect and upload contacts from victim’s device
lockscr	Lock victim’s device screen
updateinfo	Update Device Info
call	Initiate a call without victim’s interaction
cmdex	Execute Command provided by TA

Table 3: Subset of C&C Command List

The code used to check the command and perform actions is shown in the below figure.

Conclusion

As covered in prior Cyble blogs, we have observed an increase in the number of Android Banking Trojans recently. We’ve also noticed that malware authors have been utilizing cutting-edge technology to steal information and money from their victims. These TAs are also incorporating new obfuscation techniques to evade detection. The use of Medusa malware is the latest example of this change in trends.

Medusa and similar trojans can be avoided by following some basic cyber hygiene practices on mobile devices.

Our Recommendations

We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:   

1. If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
2. Use shared IoCs to monitor and block malware infection. 
3. Keep your anti-virus software updated to detect and remove malicious software. 
4. Keep your Operating System and applications updated to the latest versions. 
5. Use strong passwords and enable two-factor authentication.
6. Download and install software only from registered app stores.

MITRE ATT&CK® Techniques

Tactic	Technique ID	Technique Name
Defense Evasion	T1406	Obfuscated Files or Information
	T1444	Masquerade as Legitimate Application
Credential Access	T1412	Capture SMS Messages
	T1409	Access Stored Application Data
Discovery	T1421	System Network Connections Discovery
	T1430	Location Tracking
	T1424	Process Discovery
	T1418	Application Discovery
Collection	T1507	Network Information Discovery
	T1412	Capture SMS Messages
	T1432	Access Contact List
	T1429	Capture Audio
Command and Control	T1571	Non-Standard Port
	T1573	Encrypted Channel
Impact	T1447	Delete Device Data

Indicators of Compromise (IoCs):  

Indicators	Indicator type	Description
368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792	SHA256	Hash of the APK1 sample
3fbcf74876ae8d6845d93be6fd747a7cc38afda00bb650443d3d52281535888b	SHA256	Hash of the second APK sample
f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4	SHA256	Hash of the Unpacked DEX File in APK1
9077ea927804e596ebc4500841a8066f7740b4c0bc89206672642879f1935e1e	SHA256	Hash of the Unpacked DEX File in APK2
hxxps://covid19-ca[.]link/	URL	Phishing page used to deliver APK
hxxps://t[.]me/jjjsdjghjhg	URL	Telegram Bot URL to deliver C&C URL
sock.godforgiveuss[.]live:20027	URL	C&C URL

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.