[MART] - Daily Diary #360 - New Hydra Android Banking Trojan Campaign

CTAS-MAT ctas-mat at appgate.com
Fri Oct 1 18:27:51 UTC 2021 

Hello,

I hope everyone is doing well!

Below is the entry for today.

10/01/2021 - Diary entry #360:


Hydra is an Android Banking Trojan discovered in 2019. A new campaign was disclosed, targeting users of Germany’s second-largest bank, Commerzbank. The new campaign was based on a phishing, that delivered an APK named "Commerzbank Security" with the official app icon.


The malware's code is packed to evade signature-based detections, hiding its classes in an encrypted DEX file - stored in the APK's assets folder. The DEX file is decrypted by the packer and its classes are loaded during the execution. It also has an anti-sandbox technique by checking if it is being executed via an emulated environment.


The fake app requests a total of 21 permissions. Some of them are dangerous and common in Android Trojans, such as "Bind Accessibility" and "Bind Device Admin". These two permissions are abused in order to intercept actions on the device, emulate clicks and keyboard inputs, and to get admin privileges required to lock the device and manipulate the screen lock PIN.


Hydra can collect personal information, send SMSs, make phone calls, create overlay screens over other apps, disable Google Play Protect, hide its icon, stream its screen, and others. This threat can also collect and upload data to the C&C server, which is provided by a TOR URL that acts as a proxy. When accessed through a browser, the C&C URL shows a login panel with its title in the Russian language.


The threat actors behind Hydra are enhancing its techniques, constantly adding new features, hence becoming a sophisticated malware. We highly recommend to not allow suspicious apps dangerous permissions and apps delivered by unofficial/third-party sources.


Kind Regards,

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/logo@2x.png]<https://www.appgate.com/>

[https://d3aafpijpsak2t.cloudfront.net/images/Signature/likedin@2x.png]<https://www.linkedin.com/company/appgate-security/>     [https://d3aafpijpsak2t.cloudfront.net/images/Signature/twitter@2x.png] <https://twitter.com/AppgateSecurity>   [https://d3aafpijpsak2t.cloudfront.net/images/Signature/youtube@2x.png] <https://www.youtube.com/channel/UC-8GvxcZbm-R3EJNl8jYjiQ>



Felipe Tarijon de Almeida
Malware Analyst
Appgate

E: felipe.tarijon at appgate.com<mailto:felipe.tarijon at appgate.com>
O: +55 11 97467 9549

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/mart/attachments/20211001/58b3656a/attachment.htm>

More information about the MART mailing list