Specialists warn of a brand new Hydra banking trojan marketing campaign concentrating on European e-banking platform customers, together with the shoppers of Commerzbank.
Specialists warn of a malware marketing campaign concentrating on European e-banking platform customers with the Hydra banking trojan. In keeping with malware researchers from the MalwareHunterTeam and Cyble, the brand new marketing campaign primarily impacted the shoppers of Commerzbank, Germany’s second-largest financial institution. Hydra is an Android Banking Bot that has been lively a minimum of since early 2019.
Risk actors arrange a web page posing because the official CommerzBank web page and registered a number of domains on the identical IP (91.214.124[.]225). Crooks used the faux web site to unfold the contaminated CommerzBank apps.
In keeping with Cyble researchers, Hydra continues to evolve, the variants employed within the current marketing campaign incorporates TeamViewer performance, just like S.O.V.A. Android banking Trojan, and leverages completely different encryption methods to evade detection together with using Tor for communication. The brand new model can be in a position to disable the Play Defend Android safety function.
The consultants warn that the malware requests for 2 extraordinarily harmful permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.
The Accessibility Service is a background service that aids customers with disabilities, whereas BIND_ACCESSIBILITY_SERVICE permission permits the app to entry the Accessibility Service.
“Malware authors abuse this service to intercept and monitor all actions taking place on the gadget’s display. For instance, utilizing Accessibility Service, malware authors can intercept the credentials entered on one other app.” states the analysis printed by Cyble. “BIND_DEVICE_ADMIN is a permission that permits faux apps to get admin privileges on the contaminated gadget. Hydra can abuse this permission to lock the gadget, modify or reset the display lock PIN, and many others.”
The malware asks different permissions to hold out malicious actions equivalent to entry SMS content material, ship SMSs, carry out calls, modify gadget settings, spy on person actions, ship bulk SMSs to sufferer’s contacts:
|CHANGE_WIFI_STATE||Modify Machine’s Wi-Fi settings|
|READ_CONTACTS||Entry to cellphone contacts|
|READ_EXTERNAL_STORAGE||Entry gadget exterior storage|
|WRITE_EXTERNAL_STORAGE||Modify gadget exterior storage|
|READ_PHONE_STATE||Entry cellphone state and knowledge|
|CALL_PHONE||Carry out name with out person intervention|
|READ_SMS||Entry person’s SMSs saved within the gadget|
|REQUEST_INSTALL_PACKAGES||Set up functions with out person interplay|
|SEND_SMS||Permits the app to ship SMS messages|
|SYSTEM_ALERT_WINDOW||Permits the show of system alerts over different apps|
The evaluation of the code revealed that numerous courses are lacking within the APK file. The malicious code makes use of a customized packer to evade signature-based detection.
“We have additionally noticed that the malware authors of Hydra are incorporating new know-how to steal info and cash from its victims. Alongside these options, the current trojans have integrated subtle options. We noticed the brand new variants have TeamViewer or VNC performance and TOR for communication, which exhibits that TAs are enhancing their TTPs.” concludes Cyble.
“Based mostly on this sample that now we have noticed, malware authors are always including new options to the banking trojans to evade detection by safety software program and to entice cybercriminals to purchase the malware. To guard themselves from these threats, customers ought to solely set up functions from the official Google Play Retailer.”
(SecurityAffairs – hacking, Hydra)