A New Variant of Hydra Banking Trojan Targeting European Banking Users
Introduction:
There has been a significant increase in digital transactions over the past year, particularly due to the COVID-19 pandemic, which has forced people to rely heavily on online services. However, this increase in digital traffic has not gone unnoticed. Cybercriminals have seen it as an opportunity to target users. Recently, we came across several scenarios where cyber frauds target bank customers.
The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germany’s second-largest bank
Commerzbank serves 13 million customers in Germany and another 5 million people in Central and Eastern Europe. This makes up for a total of 18 million potential targets, which is always a critical consideration for malware distributors.
Hydra android trojan
Hydra banking trojan that was first detected in early 2019. The latest analysis revealed that Hydra has evolved beyond the standard behavior of banking Trojans, such as creating an overlay to steal credentials. The Trojan now includes TeamViewer features, similar to the S.O.V.A. malware. In addition, the Trojan uses various encryption techniques to evade detection and relies on the Tor network to obfuscate communications.
What happened
Security researchers Cyble have collected and thoroughly analysed samples of the Android APK apps from this phishing campaign. Based on this analysis, it can be determined that the malware spread as an Android app is a variant of Hydra.
A galore of permissions or Impact
Cyble has found that the Hydra-laced app requests 21 permissions, most notably the ‘BIND-ACCESSIBILITY_PERMISSION’ and ‘BIND_DEVICE_ADMIN,’ two extremely risky permissions. The former ensures that the app is always running in the background, monitoring and intercepting all data that comes and goes to and from the device. The latter is practically giving the trojan admin privileges on the device, so a wide range of exploitation possibilities opens up.
Other risky permissions used by the trojan include:
Permission Name | Description |
CHANGE_WIFI_STATE | Modify Device’s Wi-Fi settings |
READ_CONTACTS | Access to phone contacts |
READ_EXTERNAL_STORAGE | Access device external storage |
WRITE_EXTERNAL_STORAGE | Modify device external storage |
READ_PHONE_STATE | Access phone state and information |
CALL_PHONE | Perform call without user intervention |
READ_SMS | Access user’s SMSs stored in the device |
REQUEST_INSTALL_PACKAGES | Install applications without user interaction |
SEND_SMS | Allows the app to send SMS messages |
SYSTEM_ALERT_WINDOW | Allows the display of system alerts over other apps |
On Android devices, the Hydra malware abuses the accessibility features to perform several malicious activities:
- Collect user input and user interaction on the device screen
- Enabling all permissions without user interaction
- Restricting the user’s ability to change the malware’s functions via the Android Settings app
- Running TeamViewer functions using screencast APIs and Accessibility Service
- Stealing the PIN for the device’s lock screen when the user unlocks it
- Injecting values into user input fields
Recommendation
- Download or install Apk’s for trustworthy sources (The Bank’s Website or Google Play Store).
- Use strong passwords and enable two-factor authentication on the online banking account.
- Keep all software on computer up to date with the latest patches
- Never open an attachment or run a program or link received by an email from someone.
- Keep the anti-virus software updated to detect and remove malicious software.
If fallen in Hydra’s trap already, it is recommended that clean the device with a security tool from a reputable vendor and even perform a factory reset afterwards