Medusa Malware Joins Flubot’s Android Distribution Network
Flubot, the Android spyware that has been spreading since last year, has joined another mobile threat known to researchers as Medusa. The two powerful trojans boast spyware and RAT capabilities, and are now being used in side-by-side campaigns using a common infrastructure. ThreatFabric was the first to discover that Medusa is now being distributed via the same SMS phishing infrastructure as Flubot. This has resulted in high volume side by side campaigns. The Flubot malware is delivered to targets through texts and prompts them to install a package delivery app or fake version of webplayer. If the target falls for the trick, the malware starts gaining permissions, stealing banking information and credentials, and lifting passwords stored on the device.
Flubot also has the ability to send out additional text messages to the infected device’s contacts, allowing it to spread even further. Medusa follows a very similar pattern, using the same package names, app names, and icons. This type of distribution approach allowed Medusa to gain popularity, reaching more than 1,500 infected devices in one botnet. ThreatFabric stated that in addition to the Flubot campaign, Medusa has several other botnets conducting separate campaigns. Medusa does not have a specific geographical target like Flubot, which mainly targets Europe, and instead has impacted users in Canada, Turkey, and the US over the past several months.