Introduction:

There has been a significant increase in digital transactions over the past year, particularly due to the COVID-19 pandemic, which has forced people to rely heavily on online services. However, this increase in digital traffic has not gone unnoticed. Cybercriminals have seen it as an opportunity to target users. Recently, we came across several scenarios where cyber frauds target bank customers.

The Hydra banking trojan is back to targeting European e-banking platform users, and more specifically, customers of Commerzbank, Germany’s second-largest bank

Commerzbank serves 13 million customers in Germany and another 5 million people in Central and Eastern Europe. This makes up for a total of 18 million potential targets, which is always a critical consideration for malware distributors.

Hydra android trojan

Hydra banking trojan that was first detected in early 2019. The latest analysis revealed that Hydra has evolved beyond the standard behavior of banking Trojans, such as creating an overlay to steal credentials. The Trojan now includes TeamViewer features, similar to the S.O.V.A. malware. In addition, the Trojan uses various encryption techniques to evade detection and relies on the Tor network to obfuscate communications.

What happened

Security researchers Cyble have collected and thoroughly analysed samples of the Android APK apps from this phishing campaign. Based on this analysis, it can be determined that the malware spread as an Android app is a variant of Hydra.

A galore of permissions or Impact

Cyble has found that the Hydra-laced app requests 21 permissions, most notably the ‘BIND-ACCESSIBILITY_PERMISSION’ and ‘BIND_DEVICE_ADMIN,’ two extremely risky permissions. The former ensures that the app is always running in the background, monitoring and intercepting all data that comes and goes to and from the device. The latter is practically giving the trojan admin privileges on the device, so a wide range of exploitation possibilities opens up.

Other risky permissions used by the trojan include:

Permission Name	Description
CHANGE_WIFI_STATE	Modify Device’s Wi-Fi settings
READ_CONTACTS	Access to phone contacts
READ_EXTERNAL_STORAGE	Access device external storage
WRITE_EXTERNAL_STORAGE	Modify device external storage
READ_PHONE_STATE	Access phone state and information
CALL_PHONE	Perform call without user intervention
READ_SMS	Access user’s SMSs stored in the device
REQUEST_INSTALL_PACKAGES	Install applications without user interaction
SEND_SMS	Allows the app to send SMS messages
SYSTEM_ALERT_WINDOW	Allows the display of system alerts over other apps

On Android devices, the Hydra malware abuses the accessibility features to perform several malicious activities:

• Collect user input and user interaction on the device screen
• Enabling all permissions without user interaction
• Restricting the user’s ability to change the malware’s functions via the Android Settings app
• Running TeamViewer functions using screencast APIs and Accessibility Service
• Stealing the PIN for the device’s lock screen when the user unlocks it
• Injecting values into user input fields

Recommendation

• Download or install Apk’s for trustworthy sources (The Bank’s Website or Google Play Store).
• Use strong passwords and enable two-factor authentication on the online banking account.
• Keep all software on computer up to date with the latest patches
• Never open an attachment or run a program or link received by an email from someone.
• Keep the anti-virus software updated to detect and remove malicious software.

If fallen in Hydra’s trap already, it is recommended that clean the device with a security tool from a reputable vendor and even perform a factory reset afterwards