Hydra Android Trojan Description
The Hydra Android Trojan has been used in active attack campaigns for a while now, as the first samples of this threat were discovered back in 2019. Since then, the threat has gone through multiple versions and has seen its threatening capabilities expanded on several occasions. The main goal of the Hydra Android Trojan has remained the same though - collecting the victim's credentials for banking or financing services.
The latest campaign deploying the Hydra Android Trojan was uncovered by the cybersecurity researchers at MalwareHunterTeam and Cyble. The threatening operation targets European e-banking platforms and more specifically the customers of Commerzbank, Germany's second-largest bank.
The threat is delivered via a lure website that spreads Trojanized Commerzbank applications. Once deployed on the victim's device, the Hydra Android Trojan asks for several critical permissions. First, it wants access to Android's Accessibility service. This is a legitimate background service that was implemented to help people with disabilities operate their Android devices in a more comfortable manner. However, the threat abuses the service to monitor and intercept all activities taking place on the device's screen. Doing so allows them to see the credentials entered by the victim in other applications.
The second permission demanded by the threat is BIND_DEVICE_ADMIN. It grants the Hydra admin privileges and allows it to perform numerous invasive activities, such as lock the device, modify the screen lock PIN and more. The malware can perform additional actions, including accessing or sending SMS, making calls, sending messages to the victim's contact list, etc.
The latest Hydra Android Trojan version is also equipped with the TeamViewer functionality, in a similar way as the S.O.V.A. Android banking Trojan. In addition, it has increased detection-avoidance by using several encryption techniques and TOR for communication.