Hydra Android Malware Distributed Via Play Store

Fake Document Manager App Downloading Hydra Banking Trojan

During our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher mentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader and downloads the Hydra Banking Trojan.

The downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia. Hydra Android Banking Trojan was discovered in early 2019; since then, it has frequently changed its distribution campaign.

The malware currently pretends to be the Document Manager app and has gained over 10,000 downloads in a short period. According to the Play Store statistics, the app was updated on May 30, 2022, and released on June 3, 2022.

Figure 1 – Hostile Downloader app published on Play Store

Technical Analysis  

APK Metadata Information  

  • App Name: Document Manager 
  • Package Name: com.anatolijserba.docscanner  
  • SHA256 Hash: 70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235


Figure 2 shows the metadata information of an application.  

Figure 2 – App Metadata Information 

Manifest Description  

The malicious application mentions six permissions, of which the Threat Actor (TA) exploits one. The harmful permission requested by the malware is:  

Permission  Description  
REQUEST_INSTALL_PACKAGES Allows an application to request installing packages

Source Code Review  

Upon installation, the malware shows a fake update dialogue box that tricks the user into granting permission to download Hydra malware from an unknown source.

The below figure shows the execution flow of the malware after installation, where the following events occur:

  • The application is installed
  • The victim is prompted with a fake update dialog box
  • The application requests permission to download further applications from unknown sources
  • The malicious application is downloaded
  • The application prompts the victim for Accessibility Services access

Figure 3 – Malware execution flow

The below image showcases the malware communication to the TA’s Command & Control (C&C) server “hxxps://trackerpdfconnect[.]com/get_random_file“. After this, the Hostile Loader downloads the APK file named “doc_hy_0806_obf_3.apk,” – which is a variant of Hydra malware.

Figure 4 – Downloading the malicious APK file

The TA’s C&C admin panel also has a list of Hydra variant APK files, which are downloaded by the Hostile Downloader app during runtime. Our dynamic analysis indicates that the Hostile Downloader application chooses these hosted APK files seemingly at random.

Figure 5 – Hydra malware present on the admin panel

The downloaded APK file “doc_hy_0806_obf_3.apk” is custom packed, which further drops a dex file “rfrNI.json” during execution.

 The downloaded malware then performs standard Hydra Banking Trojan activities such as:

  • Collecting contact and SMS details
  • Stealing Cookies
  • Injecting crypto applications
  • Stealing OTPs, device lock PINs, etc
  • Abusing Accessibility Service to prevent uninstallation
  • Initiating TOR connection

The below code has been used to create a TOR connection that will receive the C&C URL.

Figure 6 – TOR Communication

Cyble Research Labs has analyzed the Hydra Android Banking trojan in the past, where we observed it targeting European banking users. The malware hosted on the Play Store distributes the same Hydra variant, which can affect any Android user.

Over the course of our research, we were able to gain access to the Threat Actor’s C&C panel, which then gave us several insights, such as metrics about the downloads and installation of the malicious applications.

We observed that the TA also collects the device ID, name, installation date, and status and stores them in the C&C panel, as shown below.

Figure 7 – C&C Admin Panel


Recently, we have observed increased Hydra malware activity. In April, the campaign started to target Columbia by distributing the malware through various phishing sites. Interestingly, now the TA has opted for the Play Store as a medium for distribution.

To avoid being detected, the TA has published the Hostile Downloader app, which will download the malware after installation. This is one of the ways that the TA can bypass the Play Store automation or Machine Learning techniques and publish the malware as it requires minimum permissions.

The TA has seemingly used this technique successfully as the malware gained over 10,000 downloads and affected several users.   

Our Recommendations 

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

How to prevent malware infection? 

  • Download and install software only from official app stores like Play Store or the iOS App Store. 
  • Use a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and mobile devices. 
  • Use strong passwords and enforce multi-factor authentication wherever possible. 
  • Enable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where possible. 
  • Be wary of opening any links received via SMS or emails delivered to your phone. 
  • Ensure that Google Play Protect is enabled on Android devices. 
  • Be careful while enabling any permissions. 
  • Keep your devices, operating systems, and applications updated. 

How to identify whether you are infected? 

  • Regularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. 
  • Keep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. 

What to do when you are infected? 

  • Disable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. 
  • Perform a factory reset. 
  • Remove the application in case a factory reset is not possible. 
  • Take a backup of personal media Files (excluding mobile applications) and perform a device reset. 

What to do in case of any fraudulent transaction? 

  • In case of a fraudulent transaction, immediately report it to the concerned bank. 

What should banks do to protect their customers? 

  • Banks and other financial entities should educate customers on safeguarding themselves from malware attacks via telephone, SMS, or emails. 

MITRE ATT&CK® Techniques 

Tactic Technique ID Technique Name 
Initial Access T1415Deliver Malicious App via Authorised App Store
Initial Access T1444 Masquerade as Legitimate Application 
Defense Evasion T1406 Obfuscated Files or Information 
Credential Access T1412 Capture SMS Messages 
Discovery T1421   System Network Connections Discovery 
Command and Control T1571 Non-Standard Port 
Command and Control T1573 Encrypted Channel 
Impact T1447 Deleting Device Data 
Credential Access T1409 Access Stored Application Data 

Indicators of Compromise (IOCs) 

IndicatorsIndicator TypeDescription
70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235SHA256Hash of the Hostile Downloader APk file
3a1bcdb56fa736d25221e5a9ded91172ff96e0e5SHA1Hash of the Hostile Downloader APk file
dc4a4995535d628102ef4f286b867e49MD5Hash of the Hostile Downloader APk file
hxxps://trackerpdfconnect[.]comURLHydra Downloader URL
c7300e6de3d9c6f1ad622a1e884f00d43340c381fb87c87514ef3ca2156fdf5bSHA256Hash of the Hydra malware
4155c71ee1e03cefe5b67bc89c2235266327baa4SHA1Hash of the Hydra malware
116fea8c63bce4908ec1307e20ed96baMD5Hash of the Hydra malware
hxxp://newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad[.]onion/api/mirrorsURLTOR proxy server
hxxp://servservfreeupdate[.]topURLC&C server
hxxp://wayneconnectingservice[.]hkURLC&C server
hxxp://allupdatesecuretynow[.]comURLC&C server

Comments are closed.

Scroll to Top