The Avira Threat Protection Labs team is a dedicated team, with team members based around the world, which also has its own research arm – this research arm focuses on emerging and developing threats.
The Hydra Banking Trojan malware has been targeting Android banking customers since 2019. Now, researchers in Threat Protection Labs have identified a new pattern and technique in use, seeing this malware being poised and ready to be deployed to target a wider set of Android users. The research team have seen that Hydra Banking Trojan 2.0, is now preparing to target crypto apps, having previously focused on financial services and banking customers – its evolution shows it as poised to target consumers via over 200 apps.
This new threat was first spotted in January 2022 by Avira’s Threat Protection team, leading to a deep dive with conclusions reached in March 2022, shared below.
While checking one internet monitoring cyber threat intelligence feed we noticed quite a strange URL. The host was just an IP, no domain, ending with the mundane ’download.php‘. Simple yet surprising when noticing it was serving an APK with a hash not seen anywhere else before.
At that moment, little did we know it would lead to the discovery of an ongoing Hydra campaign targeting ~50 million German and Austrian banking customers and potentially many other targets.
Hydra is an Android BankBot variant, a type of malware designed to steal banking credentials. The way it does this is by requesting the user enables dangerous permissions such as accessibility and every time the banking app is opened, the malware is hijacking the user by overwriting the legit banking application login page with a malicious one. The goal is the same, to trick the user to enter his login credentials so that it will go straight to the malware authors.
2. Ongoing Campaign
The campaign appears to have been running since the last quarter of 2021 and is still ongoing at the time of writing this, March 2022
The host (172.121.14[.]62) from which this research started seems to have served more than 30 different samples (at the time of writing this) related to this campaign.
Looking at the domains being hosted on that IP we also notice a lot of phishing domains targeting BAWAG P.S.K. and CommerzBank users, masquerading as reputable organisations to trick consumers:
The Avira technology is successfully detecting this malware and quarantining it – as per the detection names below which appear when Avira picks up the malware, samples shown below – while we continued to research this malware and establish its course:
3. Dynamic analysis
Moving forward to the analysis of the sample, the first step was to send it to our in-house Dynamic Analysis Android Sandbox, aka DANY. After getting the behavioral report we noticed some interesting things.
The Avira Dynamic analysis report revealed the following behaviour:
- Accessibility service is used
- Drops a DEX which gets deleted afterwards
- Hides launcher icon
- Saved preferences contain a list of other banking apps’ package names
- Accesses an .onion DarkWeb URL
- Drops a zip file from URL
What we mean by an .onion DarkWeb URL
The dark web, also known as the deep web or dark net, is a privacy-focused part of the internet, running on the Tor Network. It’s harder to access, accessed through the Tor Browser, or through connection to the network using a special library to handle the necessary steps.
An .onion is a hidden service, a website running on the Tor Network. These domains usually have random characters and end with the .onion extension. They can’t easily be taken down by a central authority and the server hosting the website is difficult to locate. Their appeal to those people behind the Hydra Banking Trojan 2.0, is that they function on a private key mechanism. This means that anybody with the private key can keep that website up and maintain control, so even if the server hosting the website was found and taken down, in a short space of time the person with the private key could simply start it up once again.
1. The app’s name is BAWAG PSK Security and the logo is similar to one used by an Austrian Bank. Right off the bat it asks for accessibility permission.
Usually banking apps don’t ask you for that kind of permission, some even refuse to operate if you have a rooted phone, thus we can assume that this sample may be banker malware looking to steal some credentials.
Banking malware has been going around for a long time and is here to stay, the Covid pandemic has hugely accelerated the adoption of internet banking apps.
2. Nowadays, dropping a DEX file and deleting it is a practice used both by malware for hiding reasons, but also by clean apps in an obfuscation attempt. But we’ll take note of it and check it later
3. Now, hiding the app’s icon after giving the accessibility may also be a red flag, but it’s a technique again, also used by clean apps, yet they announce this to you beforehand so there’s nothing hidden under the table (or at least the good ones).
4. Looking over the Shared Preferences we notice a list of other banking and security apps’ package names under a key containing the word “injects”. We’re now highly suspicious.
5. Looking at the URLs accessed, we can see something really fascinating – an actual working request to an .onion Tor (DarkWeb) URL. (Taking a small explanatory break: to access an .onion URL you need to connect to the Tor network).
Now, when building DANY we didn’t add any Tor support by default, so unless it became sentient, the sample downloaded what it needed to perform such a connection
Following the network trail, we can see that the sample downloaded Tor libraries from a now inactive GitHub URL, then made a request to the .onion
the response being another url on the clearnet.
By using an .onion to get the “real” URL the malware authors minimize their losses. When the “real” URL’s domain gets taken down, another one can be set up and the response from the .onion will simply be updated, as the .onion, by design, can only be taken down by the one who holds its private key.
This way, if someone downloads the sample after a few years and the initial “real” URL was banned, the infection will still be effective.
6. Continuing with the network path, the “real” URL is used to download a zip file.
What is in that archive you ask? Well that’s actually the core of the entire sample.
Inside the inj folder is a list of folders containing phishing html kits, whereby the malware is masquerading as reputable major banks in Germany and Austria such as: Volksbank, Bank Austria, BAWAG P.S.K., CommerzBank, Deutsche Bank, easybank, Santander Consumer Bank and some pin apps of Huawei and Samsung phones.
We observed some of them in a state of “TODO”, indicating they are the most probable next targets.
What is even more concerning is what was found in the other folder of the archive
We came upon a stash of more than 200 icons belonging to European banking apps, Crypto apps and other popular apps. All the indications point in conclusion towards this malware campaign evolving throughout 2022, not only targeting a larger network of European banks, but also targeting the crypto realm.
Based on this information alone we could label the sample as malware and write a behavioral rule to detect this type of family, ensuring our systems maintain their high detection rates. In addition to this, we’re now going the extra mile into the static analysis realm – as there may be other dormant behavior or IoCs which could help us in finding other samples and employ even better clustering techniques, to route this malware out.
4. Static analysis
Let’s take a look over the dropped dex, shall we?
The first thing we notice are the strings encrypted using XOR and a per class lookup table, in a similar way Flubot does, thus using the same decryption method.
Now that we can better understand what’s going on, let’s take a look over what is happening with those icons and phishing html files at the code level.
The intercepted notification is now sent to the CC and also displayed without any change. But what is up with that dropped folder with lots of apps icons? Well, due to some limitation of Android, you can only get the launcher icon of an installed app, not the one displayed inside the notification (yes, they are different). Thus, the malware authors made a big list of icons for the intercepted notifications. Even though the notifications’ text is not manipulated in any way now, in the near future it could be and the list of the dropped notification icons may be the list of targets for that.
When an app is started it will be checked to see if it is indeed one of the targets and our research tells us that if that’s the case, the dropped html files will be used as a phishing login page to collect the victims’ credentials.
Some other interesting capabilities include:
Exfiltrating all sent & received SMS text messages
Cutting the internet connection surely will stop the malware from stealing my stuff, right?
There is no benefit to cutting the connection, so that is not an option to stop this malware in its tracks. The malware goes to the settings and enables the Wi-Fi/Mobile Data on its own.
The malware also checks if the execution environment is a popular Android emulator like AVD, Genymotion or VirtualBox or a real Android device as shown in Figure 23.
Hiding the app from the launcher
‘What if we just delete the malware by going to the Settings and uninstall it, even if it doesn’t have an icon?’
Unfortunately that won’t help a consumer. Every time you manage to get there and click Uninstall, it circumvents this tactic as you will discover you’re sent back to the Home screen.
Exfiltrating the unlocking pin to the CC
Sending bulk SMS text messages to all the contacts
TeamViewer integration, in case the malware authors want to see/do some custom actions on the infected devices
Last but not least, one artifact which may unfortunately reflect reality:
MITRE Mobile ATT&CK v10 Techniques
|collection||T1409||Access Stored Application Data|
|collection||T1410||Network Traffic Capture or Redirection|
|collection||T1412||Capture SMS Messages|
|collection||T1413||Access Sensitive Data in Device Logs|
|collection||T1432||Access Contact List|
|collection||T1433||Access Call Log|
|collection||T1533||Data from Local System|
|command-and-control||T1437||Standard Application Layer Protocol|
|command-and-control||T1438||Alternate Network Mediums|
|command-and-control||T1509||Uncommonly Used Port|
|credential-access||T1409||Access Stored Application Data|
|credential-access||T1410||Network Traffic Capture or Redirection|
|credential-access||T1412||Capture SMS Messages|
|credential-access||T1413||Access Sensitive Data in Device Logs|
|defense-evasion||T1406||Obfuscated Files or Information|
|defense-evasion||T1444||Masquerade as Legitimate Application|
|defense-evasion||T1447||Delete Device Data|
|defense-evasion||T1508||Suppress Application Icon|
|defense-evasion||T1523||Evade Analysis Environment|
|defense-evasion||T1576||Uninstall Malicious Application|
|defense-evasion||T1604||Proxy Through Victim|
|discovery||T1523||Evade Analysis Environment|
|exfiltration||T1437||Standard Application Layer Protocol|
|exfiltration||T1438||Alternate Network Mediums|
|impact||T1447||Delete Device Data|
|impact||T1448||Carrier Billing Fraud|
|initial-access||T1444||Masquerade as Legitimate Application|
|initial-access||T1476||Deliver Malicious App via Other Means|
|network-effects||T1439||Eavesdrop on Insecure Network Communication|
|network-effects||T1463||Manipulate Device Communication|
|privilege-escalation||T1401||Device Administrator Permissions|
|remote-service-effects||T1468||Remotely Track Device Without Authorization|
Conclusion & further assumptions
In a nutshell, combining third-party cyber threat intelligence sources with Avira’s Behavioral Analysis Android Sandbox, aka DANY, and some manual analysis we were able to gain a better look at an ongoing malware campaign targeting users from major banks of Germany and Austria.
While currently this campaign targets banking users from Central Europe, the artifacts found make us believe they will soon expand to the rest of Europe, as Hydra Banking Trojan 2.0 attempts to spread its tentacles. Moreover, at Avira our research highlights that it will be aiming squarely at the crypto space, targeting even more people, as they access crypto apps.
2022 may be the year of crypto malware. This type of malware has been on the rise and this new research indicates just how crypto malware is set to aggressively target more unsuspecting victims across Europe this year.
Sometimes, fast adoption of technology is a good thing, but being fast sometimes means skipping steps in your growth. If you have people around you who are new to the realm of Internet Banking like your parents or grandparents, please be patient and share some of your internet behavior knowledge with them.
Also, here are some recommendations for being safe while doing banking from your phone:
- Always keep your device up to date
- Use a reputable mobile security solution for Android (such as Avira Antivirus Security, Norton Mobile Security, or any other trustworthy solution), to help you avoid malware, it’s certainly worth considering the free versions available.
- Official Banking Apps are always on Google Play Store (or the equivalent official store from your region), do not install apps by clicking on random links.
- When in doubt, seek professional help.
- Don’t click links in sketchy text messages. They can take you to spoof sites that look real but will steal your personal information or install malware on your device.