Threat Research

Cyble – Hydra Android Malware Distributed Via Play Store

Securonix

Cyble Research Labs identified an Android malware variant distributed via the Play Store that acts as a Hostile Downloader to fetch the Hydra Banking Trojan. The app masquerades as Document Manager, uses fake update prompts, and communicates with a TOR-enabled C2 to drop Hydra and perform banking-trojan activities.
#Hydra #HostileDownloader #HydraAndroidBankingTrojan #PlayStore #TrackerPDFConnect #TOR #Colombia

Keypoints

  • Hydra Android Banking Trojan variant distributed via the Play Store as a Hostile Downloader.
  • The app disguises itself as a legitimate Document Manager (App Name: Document Manager; Package: com.anatolijserba.docscanner) and has >10,000 downloads.
  • Users are shown fake update prompts and prompted to enable installation from unknown sources to drop Hydra.
  • The Hostile Downloader downloads a Hydra APK (doc_hy_0806_obf_3.apk) that is custom packed and drops a dex file (rfrNI.json) at runtime.
  • Hydra then performs banking Trojan activities: collect contacts/SMS, steal cookies, inject crypto apps, steal OTPs, abuse Accessibility Service, and initiate TOR for C2 communication.
  • Hydra’s command-and-control uses trackerpdfconnect[.]com/get_random_file and a TOR-based channel, with admin panels hosting multiple Hydra variants.
  • Cyble notes a shift from Colombia-targeted phishing campaigns to distribution via Play Store, enabling broad device impact.

MITRE Techniques

  • [T1415] Deliver Malicious App via Authorized App Store – Android malware variant published on the Play Store. Quote: “Android malware variant published on the Play Store.”
  • [T1444] Masquerade as Legitimate Application – App Name: Document Manager and Package Name: com.anatolijserba.docscanner. Quote: “App Name: Document Manager” and “Package Name: com.anatolijserba.docscanner.”
  • [T1406] Obfuscated Files or Information – The downloaded APK file doc_hy_0806_obf_3.apk is custom packed. Quote: “The downloaded APK file ‘doc_hy_0806_obf_3.apk’ is custom packed.”
  • [T1412] Capture SMS Messages – Hydra activities include collecting SMS details. Quote: “Collecting contact and SMS details.”
  • [T1421] System Network Connections Discovery – TOR-based C2 communications. Quote: “The following code has been used to create a TOR connection that will receive the C&C URL.”
  • [T1571] Non-Standard Port – TOR-based C2 usage implying non-standard port behavior. Quote: “Figure 6 – TOR Communication.”
  • [T1573] Encrypted Channel – TOR-based communication channel to receive commands. Quote: “Figure 6 – TOR Communication.”
  • [T1447] Deleting Device Data – Hydra’s impact includes potential data deletion. Quote: “Deleting Device Data.”
  • [T1409] Access Stored Application Data – Hydra capabilities include accessing stored app data. Quote: “Access Stored Application Data.”

Indicators of Compromise

  • [Hash] SHA256 – 70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235, c7300e6de3d9c6f1ad622a1e884f00d43340c381fb87c87514ef3ca2156fdf5b
  • [Hash] SHA1 – 3a1bcdb56fa736d25221e5a9ded91172ff96e0e5, 4155c71ee1e03cefe5b67bc89c2235266327baa4
  • [Hash] MD5 – dc4a4995535d628102ef4f286b867e49, 116fea8c63bce4908ec1307e20ed96ba
  • [URL] Tracker URL – hxxps://trackerpdfconnect[.]com/get_random_file
  • [URL] TOR proxy – hxxp://newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad[.]onion/api/mirrors
  • [URL] C2 server – hxxp://servservfreeupdate[.]top
  • [URL] C2 server – hxxp://wayneconnectingservice[.]hk
  • [URL] C2 server – hxxp://allupdatesecuretynow[.]com
  • [File] APK – doc_hy_0806_obf_3.apk
  • [File] Dex – rfrNI.json
  • [App] Package – com.anatolijserba.docscanner
  • [App] App Name – Document Manager

Read more: https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/