Medusa SMS Phishing Banking Malware Campaign

Photo of a Stone Medusa Figure

Malware attack campaigns involving the trojans FluBot and Medusa are an ongoing and urgent problem, warns the cybersecurity intelligence company ThreatFabric. Threat actors are using FluBot and Medusa to compromise devices globally, targeting various Android banking apps, resulting in “on-device fraud.”

The campaign uses socially engineered SMS phishing (called “smishing”) to target victims, joining the wave of financially motivated attacks, as demonstrated by the Roaming Mantis campaign in Europe. ThreatFabric’s report claims that these malware attack campaigns are evolving to include never-before-seen capabilities and do not show indications of stopping anytime soon.

ThreatFabric has narrowed down the Medusa campaign to a Turkish threat actor. As far as FluBot is concerned, four arrests were made in Barcelona, Spain in March 2021. However, the FluBot malware gang continues to thrive around the world.

The FluBot and Medusa Botnet Trojans

Cabbassous, also known as FluBot, is a notorious smishing malware known to be actively distributed in various campaigns for almost a year now. It has been using command-and-control (C2) attack servers to siphon user data (like phone contacts) and hijack devices.

In addition, ThreatFabric has now tracked a new banking malware, stretching its tentacles known as Medusa “now being distributed through the same SMiShing service as Cabassous.” Medusa is building on FluBot’s already successful trail of global cybercrime. The smishing campaigns have been disguised as Flash Player and DHL to lure victims, among others.

Both FluBot and newcomer Medusa are formidable multi-purpose, multi-stage botnet trojans. Evidence that the two are working in tandem is that Medusa uses “exactly the same app names, package names, and icons” as FluBot.

Both variants also boast several sophisticated features like notification interception, keylogging, RAT functionalities, and audio and video hijacking. This dangerous combination essentially allows an attacker full control once an Android banking app has been compromised.

FluBot and Medusa are Evolving

FluBot and Medusa are currently running rampant while simultaneously evolving. After receiving a major update “that introduced DNS-tunneling through public DNS-over-HTTPS services,” FluBot is now on another level in the latest version, 5.4.

This is an update that adds “a novel capability never seen before in mobile banking malware.” The capability abuses the “Android Nougat Direct Reply” Android OS feature, allowing attackers to manipulate notifications on a victim’s device.

As for Medusa, its trump card is that it is armed with a “semi-ats” or Automated Transfer System capability powered with an “accessibility scripting engine” that leverages Android Accessibility Service to allow attackers to take control of apps and perform actions on a victim’s device. As a result, a victim’s device can both be monitored and controlled by an external attacker.

As device notifications can now be compromised on a victim’s device, a fraudulent notification can also endanger a user’s multi-factor authorization processes.

“The evolution of malware families shows that 2FA techniques might be not sufficient to ensure origin of transaction,” ThreatFabric’s report said. “It requires deeper TI in combination with a solution that is able to detect malicious behavior on customers’ devices.”

Malware Distribution and Targeted Apps

ThreatFabric confirmed that 1,784 devices were successfully infected with Medusa in just 24 days, most recently across the U.S., Canada, and Turkey. 27 U.S. bank apps, 17 Spanish bank apps, and 15 Turkish bank apps were confirmed as targetted by the campaigns.

The targets for both FluBot and Medusa differ slightly. A few of the more notable targetted bank apps are listed below for each malware campaign. The official lists on ThreatFabric’s report include dozens of entries.

Medusa’s targets:

  • Bank of America Mobile Banking
  • Wells Fargo Mobile
  • Amex
  • BBVA Spain
  • Halkbank Mobil
  • HSBC Turkiye

FluBot’s targets:

  • Bankwest
  • Coinbase
  • Bank of Scotland Mobile Banking
  • Suncorp Bank
  • Kiwibank Mobile Banking
  • Emirates NBD
  • HSCB Australia

For further assistance and the latest threat intelligence on mobile malware, ThreatFabric can be reached here.

Tech researcher & communications specialist
Mirza has an education background in Global Communications, has worked in advertising, marketing, journalism and television over the years while living in several different countries. He is now working to consolidate news and outreach at, while in his free time he likes to work on documentary projects, read about sociology and write about world events.