Fake Document Manager App Downloading Hydra Banking Trojan
During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.
The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia. Hydra Android Banking Trojan was discovered in early 2019; since then, it has frequently changed its distribution campaign.
The malware currently pretends to be the Document Manager app and has gained over 10,000 downloads in a short period. According to the Play Store statistics, the app was updated on May 30, 2022, and released on June 3, 2022.
Technical Analysis  Â
APK Metadata Information  Â
- App Name: Document Manager
- Package Name: com.anatolijserba.docscanner   
- SHA256 Hash: 70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235
  
Figure 2 shows the metadata information of an application. 
Manifest Description Â
The malicious application mentions six permissions, of which the Threat Actor (TA) exploits one. The harmful permission requested by the malware is: 
| Permission   | Description  |
| REQUEST_INSTALL_PACKAGES | Allows an application to request installing packages |
Source Code Review Â
Upon installation, the malware shows a fake update dialogue box that tricks the user into granting permission to download Hydra malware from an unknown source.
The below figure shows the execution flow of the malware after installation, where the following events occur:
- The application is installed
- The victim is prompted with a fake update dialog box
- The application requests permission to download further applications from unknown sources
- The malicious application is downloaded
- The application prompts the victim for Accessibility Services access
The below image showcases the malware communication to the TA’s Command & Control (C&C) server “hxxps://trackerpdfconnect[.]com/get_random_file“. After this, the Hostile Loader downloads the APK file named “doc_hy_0806_obf_3.apk,” – which is a variant of Hydra malware.
The TA’s C&C admin panel also has a list of Hydra variant APK files, which are downloaded by the Hostile Downloader app during runtime. Our dynamic analysis indicates that the Hostile Downloader application chooses these hosted APK files seemingly at random.
The downloaded APK file “doc_hy_0806_obf_3.apk” is custom packed, which further drops a dex file “rfrNI.json” during execution.
The downloaded malware then performs standard Hydra Banking Trojan activities such as:
- Collecting contact and SMS details
- Stealing Cookies
- Injecting crypto applications
- Stealing OTPs, device lock PINs, etc
- Abusing Accessibility Service to prevent uninstallation
- Initiating TOR connection
The below code has been used to create a TOR connection that will receive the C&C URL.
Cyble Research Labs has analyzed the Hydra Android Banking trojan in the past, where we observed it targeting European banking users. The malware hosted on the Play Store distributes the same Hydra variant, which can affect any Android user.
Over the course of our research, we were able to gain access to the Threat Actor’s C&C panel, which then gave us several insights, such as metrics about the downloads and installation of the malicious applications.
We observed that the TA also collects the device ID, name, installation date, and status and stores them in the C&C panel, as shown below.
ConclusionÂ
Recently, we have observed increased Hydra malware activity. In April, the campaign started to target Columbia by distributing the malware through various phishing sites. Interestingly, now the TA has opted for the Play Store as a medium for distribution.
To avoid being detected, the TA has published the Hostile Downloader app, which will download the malware after installation. This is one of the ways that the TA can bypass the Play Store automation or Machine Learning techniques and publish the malware as it requires minimum permissions.
The TA has seemingly used this technique successfully as the malware gained over 10,000 downloads and affected several users.
Our RecommendationsÂ
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  
How to prevent malware infection?Â
- Download and install software only from official app stores like Play Store or the iOS App Store.
- Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices.
- Use strong passwords and enforce multi-factor authentication wherever possible.
- Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible.
- Be wary of opening any links received via SMS or emails delivered to your phone.
- Ensure that Google Play Protect is enabled on Android devices.
- Be careful while enabling any permissions.
- Keep your devices, operating systems, and applications updated.
How to identify whether you are infected?Â
- Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices.
- Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly.
What to do when you are infected?Â
- Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data.
- Perform a factory reset.
- Remove the application in case a factory reset is not possible.
- Take a backup of personal media Files (excluding mobile applications) and perform a device reset.
What to do in case of any fraudulent transaction?Â
- In case of a fraudulent transaction, immediately report it to the concerned bank.
What should banks do to protect their customers?Â
- Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails.
MITRE ATT&CK® TechniquesÂ
| Tactic | Technique ID | Technique Name |
| Initial Access | T1415 | Deliver Malicious App via Authorised App Store |
| Initial Access | T1444 | Masquerade as Legitimate Application |
| Defense Evasion | T1406 | Obfuscated Files or Information |
| Credential Access | T1412 | Capture SMS Messages |
| Discovery | T1421 | System Network Connections Discovery |
| Command and Control | T1571 | Non-Standard Port |
| Command and Control | T1573 | Encrypted Channel |
| Impact | T1447 | Deleting Device Data |
| Credential Access | T1409 | Access Stored Application Data |
Indicators of Compromise (IOCs)
| Indicators | Indicator Type | Description |
| 70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235 | SHA256 | Hash of the Hostile Downloader APk file |
| 3a1bcdb56fa736d25221e5a9ded91172ff96e0e5 | SHA1 | Hash of the Hostile Downloader APk file |
| dc4a4995535d628102ef4f286b867e49 | MD5 | Hash of the Hostile Downloader APk file |
| hxxps://trackerpdfconnect[.]com | URL | Hydra Downloader URL |
| c7300e6de3d9c6f1ad622a1e884f00d43340c381fb87c87514ef3ca2156fdf5b | SHA256 | Hash of the Hydra malware |
| 4155c71ee1e03cefe5b67bc89c2235266327baa4 | SHA1 | Hash of the Hydra malware |
| 116fea8c63bce4908ec1307e20ed96ba | MD5 | Hash of the Hydra malware |
| hxxp://newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad[.]onion/api/mirrors | URL | TOR proxy server |
| hxxp://servservfreeupdate[.]top | URL | C&C server |
| hxxp://wayneconnectingservice[.]hk | URL | C&C server |
| hxxp://allupdatesecuretynow[.]com | URL | C&C server |
