Short News:-
Two different Android banking Trojans, FluBot and Medusa, are utilizing the same delivery vehicle as part of a simultaneous attack campaign. Researchers discovered that the overlapping use of "app names, package names, and similar icons" resulted in side-by-side infections. In order to infect the devices, the malware-ridden apps used in conjunction with FluBot are disguised as DHL and Flash Player apps. Other potentially dangerous features of Medusa include keylogging, accessibility event logging, and audio and video streaming. Last year, researchers from ESET and Check Point Research discovered rogue apps masquerading as Huawei Mobile and Netflix that used the same method of operation to launch wormable attacks. "At the same time, Cabassous is constantly evolving, adding new features and taking another step closer to being able to commit fraud on the device itself."
Detailed News:-
According to new research published by ThreatFabric, two different Android banking Trojans, FluBot and Medusa, are utilizing the same delivery vehicle as part of a simultaneous attack campaign.
It was discovered that the overlapping use of "app names, package names, and similar icons" resulted in side-by-side infections, which were facilitated by the same smishing (SMS phishing) infrastructure, according to the Dutch mobile security firm.
Medusa, which was first discovered in July 2020 and was targeting Turkish financial institutions, has gone through several iterations, the most notable of which is the ability to abuse Android's accessibility permissions in order to siphon funds from banking apps into an account controlled by the attacker.
Other potentially dangerous features of Medusa include keylogging, accessibility event logging, audio, and video streaming, all of which allow actors to gain almost complete control over a victim's device, according to the researchers.
In order to infect the devices, the malware-ridden apps used in conjunction with FluBot are disguised as DHL and Flash Player apps. In addition, recent Medusa attacks have broadened their scope beyond Turkey to include Canada and the United States, with the botnet's operators maintaining multiple botnets for each of their campaigns.
FluBot (aka Cabassous), on the other hand, has received a novel upgrade of its own: the ability to intercept and potentially manipulate notifications from targeted applications on a victim's Android device by leveraging the direct reply action, alongside auto-replying to messages from apps like WhatsApp to spread phishing links in a worm-like fashion.
It is "possible for actors to sign fraudulent transactions on the victim's behalf" because of the malware's ability to provide [command-and-control server] supplied responses to notifications of targeted applications on the victim's device, according to the researchers.
This is not the first time that Android malware has been discovered to spread through the use of auto-replies to WhatsApp messages. Last year, researchers from ESET and Check Point Research discovered rogue apps masquerading as Huawei Mobile and Netflix that used the same method of operation to launch wormable attacks.
As Cabassous' success spreads, more and more actors are copying his distribution strategies, appropriating masquerading techniques, and utilizing the same distribution service, the researchers found. "At the same time, Cabassous is constantly evolving, adding new features and taking another step closer to being able to commit fraud on the device itself."
Post a Comment
Your suggestions and comments are welcome