Cyble-Medusa-Malware-Spreading-Through-Fake-Canadian-Covid-Portal.
Medusa malware was initially identified in June 2020, as a strain of Android Banking Trojan. In a recent campaign, Researchers observed the Medusa malware targeting Canadian residents.
Medusa collects personal information, creates an overlay, and steals credentials based on the Threat Actor’s (TA) commands from the Command and Control (C&C) Server. Previously, this malware was infecting systems through droppers posing as legitimate apps from official stores. However, in this instance, the delivery mechanism is different.
In a recent Twitter post, a researcher informed the community that Medusa is spreading through a website posing as the official Canadian Government COVID-19 portal. The researcher noted that when the website was accessed through mobile phones, the malware delivers a fake Flash Player app.
Additionally, the page displays the instructions to install the downloaded app, as shown in Figure 1. The researcher also mentioned that when the page was accessed from sources other than mobile phones, it redirects visitors to Canada’s official COVID-19 page.
Malicious URL: hxxps://covid19-ca[.]link/Flash_Player.apk
Cyble Research Labs has collected samples of Medusa malware and performed a detailed analysis. Based on this analysis, the team found that Medusa uses anti-analysis and security evasion techniques as detailed in our full analysis below.
The Medusa malware sample shares the same icon of the Flash Player app, as shown in the figure below.
The fake app requests 40 permissions, out of which the malware can leverage 20 permissions to collect victims’ personal information, steal credentials, etc. These dangerous permissions are listed in the table below.
| Permission Name | Description |
| ACCESS_BACKGROUND_LOCATION, ACCESS_COARSE_LOCATION, ACCESS_FINE_LOCATION | Access device location (with the help of GPS and Phone network) |
| ANSWER_PHONE_CALLS | Allows the app to answer the phone call |
| CAMERA | Access device’s camera |
| GET_TASKS | Fetch currently running apps and processes |
| READ_CONTACTS | Access to phone contacts |
| READ_EXTERNAL_STORAGE | Access device external storage |
| WRITE_EXTERNAL_STORAGE | Modify device external storage |
| READ_PHONE_STATE | Access phone state and information |
| RECORD_AUDIO | Allows to record audio using device microphone |
| CALL_PHONE | Perform call without user intervention |
| READ_SMS | Access user’s SMSs stored in the device |
| REQUEST_INSTALL_PACKAGES | Install applications without user interaction |
| RECEIVE_SMS | Fetch and process SMS messages |
| SEND_SMS | Allows the app to send SMS messages |
| SYSTEM_ALERT_WINDOW | Allows to display system alerts over other apps |
| WRITE_SMS | Modify or Delete SMSs Stored in Database |
| BIND_ACCESSIBILITY_PERMISSION | Allows to access device’s Accessibility Service |
| BIND_DEVICE_ADMIN | Allows the app to act as Admin App |
Table 1: Permission List
The malware has requested two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.
Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.
Malware authors abuse this service to intercept and monitor all activities happening on the device screen. An example of this activity is the ability to intercept the credentials utilized by users on any app on the affected device.
BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Medusa abuses this permission to lock the device, reset the screen lock PIN, etc.
Upon inspecting the APK’s manifest file, we found three entry points classes of the application:
Other Android component classes in the APK’s manifest include com.ltrmht.nfzyqttg.VNCActivity, com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.
Upon decompiling the APK, we observed that the malware is missing some classes, such as the ones mentioned above. As shown in the figure below, the package related to the classes is missing from the application packages list.
We also found that the APK contains only the application subclass. The rest of the classes in the manifest are not present in the APK, as shown in the previous figure.
Some of the other missing classes are listed in the table below.
| Missing Class Names |
| com.ltrmht.nfzyqttg.MainActivity |
| com.ltrmht.nfzyqttg.Receiver.BootReceiver |
| com.ltrmht.nfzyqttg.VNCActivity |
| com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService |
| com.ltrmht.nfzyqttg. InjectionHtmlActivity |
Table 2: Missing Classes Subset List
Upon installing the application, Medusa malware displays the YouTube icon on the device’s home screen, as shown in Figure 5.
After starting the application, the malware requests the user to enable Accessibility permission. Once this permission is enabled, the trojan enables all the requested permissions, including BIND_DEVICE_ADMIN, without user interaction. The malware’s behavior is explained below.
We also observed that the malware hides its icon after launch.
Our source code investigation shows that the malware uses a custom packer software that decrypts a DEX file from a file in the assets folder. Upon completing a reverse-engineering procedure, we found the code used to decrypt the DEX file. This code is shown in the figure below.
With the help of the code shown above, we decrypted the DEX file. Upon inspecting the DEX file, we observed that the file contains all the missing classes mentioned in Table 2.
Hash of the DEX file: f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4
Upon analyzing the unpacked DEX file, we observed that the malware uses complex obfuscation techniques to hide the malicious behavior from static analysis.
Based on the results of our analysis, we concluded that in the post-infection phase, Medusa malware collects personal information such as Contacts, SMS, Application List, Location, etc. For example, the figure below shows the code collecting contacts.
The malware collects information, such as:
The malware also has the capability to perform other malicious activities, such as:
Medusa malware locks the device’s screen with the help of DEVICE_ADMIN permission. Figure 8 shows the code locking the device’s screen.
The fake app also monitors and collects clipboard data from the infected device. Figure 9 has the code used to monitor the clipboard.
Figure 10 shows the code to send an SMS message to the number provided by TA.
Medusa also allows the TA to connect to the victim’s device using VNC.
Medusa abuses the Accessibility Service to monitor the device screen and collect screen information such as credentials, user activities, etc.
The trojan also enables all the permissions requested by the application. The details are shown in the previous section. We also observed that the malware could restrict users from uninstalling the app or changing the permissions from the Settings app. Additionally, the malware performs a back action when users access the Settings app as shown in the below figure.
Medusa collects all the information mentioned above and uploads it to the C&C server based on the commands from TA. The malware performs these activities on a background service class called com.ltrmht.nfzyqttg.Service.WorkerAccessibilityService.
Initially, the malware contacts a Telegram bot and retrieves the C&C server URL as encoded upon starting the trojan. The Telegram bot’s URL is hxxps://t[.]me/jjjsdjghjhg
The response from the Telegram bot is shown in the figure below.
Upon investigation, we found that the TA has encoded the C&C URL with Base64 and custom encoding. Figure 14 shows the code used by the malware to decode the TA-provided encoded URL.
C&C Server URL: sock.godforgiveuss[.]live:20027
A subset of commands used by Medusa is listed in the table below.
| Command | Description |
| keylog | Start key logging |
| sendsms | Send SMS to a number provided by TA |
| getcontacts | Collect and upload contacts from victim’s device |
| lockscr | Lock victim’s device screen |
| updateinfo | Update Device Info |
| call | Initiate a call without victim’s interaction |
| cmdex | Execute Command provided by TA |
Table 3: Subset of C&C Command List
The code used to check the command and perform actions is shown in the below figure.
As covered in prior Cyble blogs, we have observed an increase in the number of Android Banking Trojans recently. We’ve also noticed that malware authors have been utilizing cutting-edge technology to steal information and money from their victims. These TAs are also incorporating new obfuscation techniques to evade detection. The use of Medusa malware is the latest example of this change in trends.
Medusa and similar trojans can be avoided by following some basic cyber hygiene practices on mobile devices.
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
| Tactic | Technique ID | Technique Name |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| T1444 | Masquerade as Legitimate Application | |
| Credential Access | T1412 | Capture SMS Messages |
| T1409 | Access Stored Application Data | |
| Discovery | T1421 | System Network Connections Discovery |
| T1430 | Location Tracking | |
| T1424 | Process Discovery | |
| T1418 | Application Discovery | |
| Collection | T1507 | Network Information Discovery |
| T1412 | Capture SMS Messages | |
| T1432 | Access Contact List | |
| T1429 | Capture Audio | |
| Command and Control | T1571 | Non-Standard Port |
| T1573 | Encrypted Channel | |
| Impact | T1447 | Delete Device Data |
| Indicators | Indicator type | Description |
| 368afeda7af69f329e896dc86e9e4187a59d2007e0e4b47af30a1c117da0d792 | SHA256 | Hash of the APK1 sample |
| 3fbcf74876ae8d6845d93be6fd747a7cc38afda00bb650443d3d52281535888b | SHA256 | Hash of the second APK sample |
| f8dbfd710ecd46e1703fb1f300be5c90cf6c13c809d524e9f77bc3bf83be04c4 | SHA256 | Hash of the Unpacked DEX File in APK1 |
| 9077ea927804e596ebc4500841a8066f7740b4c0bc89206672642879f1935e1e | SHA256 | Hash of the Unpacked DEX File in APK2 |
| hxxps://covid19-ca[.]link/ | URL | Phishing page used to deliver APK |
| hxxps://t[.]me/jjjsdjghjhg | URL | Telegram Bot URL to deliver C&C URL |
| sock.godforgiveuss[.]live:20027 | URL | C&C URL |
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
Dark web intelligence helps organizations detect stolen credentials, leaked data, and cyber threats early, enabling…
ACSC, NCSC, and CERT Tonga warn of growing INC Ransom activity targeting healthcare and organizations…
Cyble has identified a new Linux threat named ClipXDaemon that targets cryptocurrency users by intercepting…
Middle East faces unprecedented hybrid warfare as Iran, US, and Israel clash through cyberattacks, missile…
ENISA’s Cybersecurity Exercise Methodology helps organizations align with NIS2 and the EU Cybersecurity Act while…
Critical WordPress, BeyondTrust, Honeywell CCTV, and PUSR router vulnerabilities surfaced on underground forums, while CISA…
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.