Medusa¶
Medusa is an Android banking trojan and Malware-as-a-Service (MaaS) operation that combines keylogging, real-time screen streaming, and overlay attacks into a full remote access platform for financial fraud. First identified targeting Turkish banks in July 2020, it has expanded to seven countries across North America and Europe. The 2024 v2 rewrite stripped the codebase down to a minimal permission footprint while retaining full fraud capability, a deliberate evasion strategy that allowed it to resurface after nearly a year of dormancy.
Overview¶
| Attribute | Details |
|---|---|
| First Seen | July 2020 |
| Status | Active (2025) |
| Type | Banking trojan, RAT, MaaS |
| Aliases | TangleBot (Proofpoint) |
| Attribution | Turkish-speaking actors, multiple affiliate groups |
| Distribution | Smishing, dropper apps, fake updates |
Vendor Names¶
| Vendor | Name |
|---|---|
| ThreatFabric | Medusa |
| Cleafy | Medusa |
| Proofpoint | TangleBot |
| Cyble | Medusa |
| Kaspersky | Trojan-Banker.AndroidOS.Medusa |
| ESET | Android/Spy.Medusa |
| Trend Micro | AndroidOS_Medusa |
| Microsoft | Trojan:AndroidOS/Medusa |
| SonicWall | AndroidOS.Medusa |
Origin and Lineage¶
ThreatFabric first documented Medusa in July 2020 as a new banking trojan under active development, initially targeting Turkish financial institutions. The malware used TCP for C2 communication, which distinguished it from the HTTP-based protocols common in other Android banking trojans of that era.
The family appears to be written from scratch with no direct code lineage to other known banking trojans. Its operators adopted a reserved approach to distribution, avoiding public forum advertisements and instead using side-channels for customer communication.
Proofpoint independently identified the same malware in September 2021 under the name TangleBot, based on its extensive use of obfuscation layers ("tangled" code). While some researchers initially treated these as distinct families, subsequent analysis confirmed they share the same codebase. The naming discrepancy persists across vendor reporting.
In 2022, ThreatFabric discovered Medusa leveraging the same distribution infrastructure as FluBot (Cabassous), indicating either shared affiliates or deliberate collaboration between the two operations.
After nearly a year of reduced activity, Cleafy identified the v2 variant in May 2024, noting it had likely been active since July 2023. The rewrite represented a strategic pivot toward evasion over feature density.
Distribution¶
Medusa has used multiple distribution strategies across its lifecycle, shifting from pure smishing to dropper-based delivery.
| Period | Vector | Disguise | Source |
|---|---|---|---|
| 2020-2021 | SMS phishing | Turkish banking and utility apps | ThreatFabric |
| September 2021 | SMS phishing | COVID-19 updates, utility bills | Proofpoint |
| September 2021 | Fake government portal | Canadian COVID-19 portal | Cyble |
| February 2022 | SMS (shared with FluBot) | DHL, Flash Player, utility apps | ThreatFabric |
| 2024 | Dropper apps, fake updates | Chrome, 4K Sports, InatTV, Purolator, 5G | Cleafy |
The FluBot co-distribution phase was notable: Medusa samples appeared alongside Cabassous payloads from the same smishing service, with Medusa operators using campaign tags like FLUVOICE, FLUFLASH, and FLUDHL that directly referenced FluBot campaigns. Within one month, this approach infected over 1,500 devices through a single botnet disguised as DHL.
The v2 distribution strategy shifted to dropper apps that deliver the malware through fake update procedures, moving away from direct SMS links to APK downloads.
Capabilities¶
Version 1 (2020-2022)¶
| Capability | Implementation |
|---|---|
| Overlay attacks | WebView injects triggered by accessibility foreground detection |
| Keylogging | Accessibility-based keystroke capture across all apps |
| Screen streaming | Real-time device screen fed to operator via VNC |
| Audio/video capture | Record via device microphone and camera |
| SMS interception | Read, send, hide SMS for OTP theft |
| Remote interaction | Full RAT through accessibility gestures and touch simulation |
| Call recording | Capture voice calls |
| Contact harvesting | Exfiltrate contacts and SMS history |
| Device admin abuse | Lock device screen via DEVICE_ADMIN permission |
Version 2 (2024)¶
Cleafy's analysis of the v2 rewrite documented a deliberate reduction in both permissions and commands:
Permissions reduced to five core requirements:
| Permission | Purpose |
|---|---|
| Accessibility Services | Core functionality: keylogging, UI interaction, overlay triggering |
| Broadcast SMS | SMS interception for OTP theft |
| Internet | C2 communication |
| Foreground Service | Persistent background execution |
| Query/Delete Packages | Application enumeration and removal |
Additional permissions are acquired silently through accessibility service abuse at runtime, avoiding manifest-level declaration.
Command set changes:
17 commands from v1 were removed, and 5 new commands were added:
| New Command | Action |
|---|---|
setoverlay |
Display full-screen black overlay to mask device activity |
fillfocus |
Set text value of focused input field to attacker-specified string |
| Delete app | Remotely uninstall specified applications |
| Screen off simulation | Make device appear inactive during fraud |
| Overlay display | Full-screen overlay for credential capture |
The setoverlay command enables a black screen overlay that makes the device appear powered off or locked while the operator performs fraud in the background. The fillfocus command allows precise text injection into any focused input field, enabling ATS-style transfers.
Technical Details¶
C2 Communication¶
Medusa originally used raw TCP connections for C2 communication, an unusual choice for Android malware. The C2 infrastructure evolved significantly:
| Version | Protocol | C2 Resolution |
|---|---|---|
| v1 (2020) | TCP | Hardcoded C2 URLs, Telegram bot for backup |
| v1 (2021) | TCP | Encoded URLs retrieved from Telegram bots (Base64 + custom encoding) |
| v2 (2024) | TCP | Dynamic retrieval from social media profiles (Telegram, X, ICQ) |
The dead drop resolver pattern in v2 uses legitimate social media platforms to host encoded C2 addresses. This allows operators to rotate C2 infrastructure without pushing malware updates, increasing resilience against takedowns.
Accessibility Service Abuse¶
Medusa's accessibility service implementation handles multiple functions simultaneously:
- Monitors
TYPE_WINDOW_STATE_CHANGEDfor target app detection and overlay triggering - Logs all keystrokes for credential capture
- Reads screen content for real-time streaming to operator
- Performs gestures and clicks for remote device control
- Silently grants additional permissions at runtime
- Interacts with banking app UI for ATS-style fraud via
fillfocus
Botnet Infrastructure¶
Cleafy identified five distinct botnets operating under the Medusa MaaS umbrella:
| Botnet | Primary Targets | Distribution Focus |
|---|---|---|
| AFETZEDE | Turkey, Canada, US | Traditional smishing |
| ANAKONDA | Turkey | Smishing |
| PEMBE | Turkey | Smishing |
| TONY | Turkey, Canada, US | Smishing |
| UNKN | Italy, France, Europe | Dropper apps from untrusted sources |
The separation between Turkish-focused botnets (AFETZEDE, ANAKONDA, PEMBE, TONY) and the European-focused UNKN botnet suggests at least two distinct affiliate groups operating the same malware.
Target Regions and Financial Institutions¶
Medusa's targeting has expanded significantly from its Turkish origins.
| Period | Regions | Targets |
|---|---|---|
| 2020-2021 | Turkey | Turkish banking institutions |
| September 2021 | US, Canada | COVID-19 themed, broad credential theft |
| 2022 | Turkey, North America, Europe | Banking apps, expanded through FluBot infrastructure |
| 2024 | Canada, France, Italy, Spain, Turkey, UK, US | Banking, cryptocurrency, and utility apps across 7 countries |
The v2 expansion into Western Europe, particularly France and Italy through the UNKN botnet, represented a strategic geographic pivot, indicating growing demand from European-focused affiliates within the MaaS operation.
Notable Campaigns¶
July 2020: ThreatFabric identified Medusa as a new Android banking trojan targeting Turkish banks, noting its use of TCP-based C2 and active development status.
September 2021: Proofpoint published their TangleBot analysis, documenting campaigns using COVID-19 and utility bill lures targeting US and Canadian users. The analysis noted extensive obfuscation, including hidden .dex files, minified code, and excessive dead code. Proofpoint counted nine consecutive dialog boxes users had to accept before full installation completed.
September 2021: Cyble documented a campaign using a fake Canadian Government COVID-19 portal to distribute Medusa disguised as a Flash Player update. The malware retrieved its C2 URL from a Telegram bot using Base64 and custom encoding.
February 2022: ThreatFabric published "Partners in Crime", revealing that Medusa had begun using the same smishing distribution network as FluBot (Cabassous). The FLUDHL botnet alone accumulated over 1,500 infections within a month by masquerading as DHL delivery notifications.
May 2024: Cleafy published "Medusa Reborn", documenting the v2 variant that had been active since July 2023. The rewrite reduced the permission footprint to five manifest-declared permissions, removed 17 commands, added 5 new ones (including the black screen overlay), and shifted distribution to dropper-based delivery through fake Chrome, 4K Sports, and utility apps across seven countries.