There has been a significant increase in digital transactions over the past year, particularly due to the COVID-19 pandemic, which has forced people to rely heavily on online services. However, this increase in digital traffic has not gone unnoticed. Cybercriminals have seen it as an opportunity to target users. Recently, we came across several scenarios where cyber frauds target bank customers. We have covered one such incident in this report.
Cyble researchers came across a phishing campaign targeting CommerzBank. This campaign came to our attention via a researcher’s Twitter Post.
Commerzbank Aktiengesellschaft is a major German bank that has global operations, headquartered in Frankfurt am Main.
In the Twitter post, the researcher mentioned that Android malware is spreading through a page posing as the official CommerzBank page. It is also highlighted that the Threat Actor(s) (TA) has registered multiple domains on the same IP and the fake website is spreading malicious apps posing as CommerzBank app.
Refer to Figure 1.
The IP of the phishing domain: 91.214.124[.]225
Cyble’s Research Labs has collected samples related to this campaign and analyzed them thoroughly. Based on our analysis, we determined that the malware is a variant of Hydra, an Android Banking Bot initially found in early 2019.
From our analysis, alongside standard banking trojan behavior such as creating an overlay for stealing credentials, Hydra has evolved. It now incorporates TeamViewer functionality, similar to S.O.V.A. malware, and is also using different encryption techniques to evade detection and using Tor for communication.
Our research team also observed that there are HQwar Banking trojans posing as CommerzBank mobile apps.
Technical Analysis Of Hydra
The Hydra malware shares the same icon and app name as the CommerzBank Mobile app as shown below.
APK File Information
- APP Name: Commerzbank Security
- Package Name: com.qcavvlvk.woucngh
- SHA256: 5e9f31ecca447ff0fa9ea0d1245c938dcd4191b6944f161e35a0d27aa41b102f
Manifest Description
The fake app requests 21 different permissions, of which the TA abuses 10 permissions. The dangerous permissions are:
Permission Name | Description |
CHANGE_WIFI_STATE | Modify Device’s Wi-Fi settings |
READ_CONTACTS | Access to phone contacts |
READ_EXTERNAL_STORAGE | Access device external storage |
WRITE_EXTERNAL_STORAGE | Modify device external storage |
READ_PHONE_STATE | Access phone state and information |
CALL_PHONE | Perform call without user intervention |
READ_SMS | Access user’s SMSs stored in the device |
REQUEST_INSTALL_PACKAGES | Install applications without user interaction |
SEND_SMS | Allows the app to send SMS messages |
SYSTEM_ALERT_WINDOW | Allows to display system alerts over other apps |
The Hydra malware requests for two extremely dangerous permissions, BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.
Accessibility Service is a background service running on the device to aid users with disabilities. BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.
Malware authors abuse this service to intercept and monitor all activities happening on the device’s screen. For example, using Accessibility Service, malware authors can intercept the credentials entered on another app.
BIND_DEVICE_ADMIN is a permission that allows fake apps to get admin privileges on the infected device. Hydra can abuse this permission to lock the device, modify or reset the screen lock PIN, etc.
Upon enabling these permissions, the malware performs activities such as:
- Collecting contacts and SMSs.
- Stealing credentials such as OTPs, device lock screen PIN etc.
- Modifying device settings.
- Spying on user activities.
- Sending bulk SMSs to victim’s contacts.
Manifest Analysis
The malware has multiple entry points declared in the application’s manifest file:
- com.gameloft.titanic.k: The class which executes initially when the victim launches the app.
- com.qcavvlvk.woucngh.MainActivity: The class which executes and shows the first page of the application.
- com.qcavvlvk.woucngh.bot.receivers.MainReceiver: A listener class to start the malware behavior upon device reboot.
Our investigation of the sample revealed that the APK file is missing some classes mentioned in the manifest (shown in Figure 3).
Some of the missing classes are listed in the below table.
Missing classes | Class description |
com.qcavvlvk.woucngh.MainActivity | Launcher class |
com.qcavvlvk.woucngh.bot.receivers.MainReceiver | Listener triggered on device reboot |
com.qcavvlvk.woucngh.bot.components.injects.system. InjAccessibilityService |
Class used to handle Accessibility Service |
com.qcavvlvk.woucngh.bot.HelperAdmin$MyHomeReceiver | Class to handle Device Admin service |
Source Code Analysis
Upon inspecting the APK file, we observed that the MainActivity, MainReceiver, and various other classes mentioned in the table are missing in the APK file. The malware uses a custom packer to evade signature-based detection.
The fake app hides these classes inside a DEX file with the help of a custom packer. The DEX file is encrypted and stored in a file in the APK’s assets folder. The fake app unpacks and loads the classes from the DEX file during the execution phase. The APK file is shown in the figure below.
By reverse-engineering the sample, we decrypted and extracted the DEX file. This file contains all the missing classes, and upon inspection, we observed that these classes have malicious functionalities such as:
- Collecting personal information such as contacts, SMSs.
- Sending bulk SMSs.
- Creating overlay over other apps using SYSTEM_ALERT_WINDOW permission.
- Disabling Android’s built-in security feature – Google Play Protect.
- Screencast the device screen to TA’s system.
- Performing a phone call to TA’s provided number.
- Subscribing to premium WAP services through SMSs or phone calls.
- Uploading hardware information of the infected device.
The below code in Figure 5 shows how Hydra malware collects contacts to upload to Command and Control (C&C) server.
Figure 6 shows the code to collect phone numbers from the infected device contacts and send SMSs with the text provided by the TA.
Execution Behavior
Upon starting the fake app, Hydra malware initially requests the user to enable Accessibility permission. Once this permission is enabled, the malware enables other permissions such as Device Admin permission, Contacts permission, etc.
The below figure shows the execution flow of the malware in the initial stages.
We also observed that the malware hides its icon post-launch as shown in Figure 8.
The malware also checks whether the execution environment is an emulator or an actual Android device using the checks shown in Figure 9.
Cyble Research Labs evaded this anti-sandboxing technique during our analysis with the help of hooking techniques using Frida scripts.
Accessibility Abuse
Hydra malware abuses the Accessibility feature to perform multiple malicious activities such as:
- Collecting user inputs and user interactions on the device screen.
- Enabling all permissions without user interaction.
- Restricting the user from modifying the malware’s capabilities from Settings app.
- Performing TeamViewer functionality with the help of screencast APIs and Accessibility service.
- Stealing device lock screen PIN during user unlock.
- Injecting values in fields for user input.
The code used for the above activities is shown below.
From our analysis, we observed that Hydra uses the TeamViewer functionality by abusing the Accessibility service.
The malware can act as a TeamViewer app for the TA. The fake app casts the device screen using the Screencast APIs. The TA’s interactions are converted to screen with the help of the Accessibility service.
The code using Accessibility to perform TeamViewer activity is shown below.
Hydra collects and uploads all the collected information to the C&C server. The malware performs these activities based on the commands from the TA.
C&C Server
The malware initiates a TOR communication and accesses a TOR URL. The TOR URL acts as a proxy and provides the C&C URL encoded in Base64.
TOR URL: hxxp://db4z37rzfrhgaazp[.]onion/api/mirrors
The response from the TOR URL is shown below.
Decoded C&C URL: hxxps://hastztafc66[.]xyz
Upon accessing the C&C URL, the webpage opens a login panel as shown below.
New Features Found In Hydra (Undocumented Features)
In 2019, Hydra malware behaved as a normal Banking bot which created an overlay on targeted apps with the help of SYSTEM_ALERT_WINDOW permission.
In the latest version that we have analyzed, the TA behind this campaign has incorporated enhancements to the Hydra malware.
These enhancements are listed below:
- TeamViewer functionality (explained in Accessibility Abuse section).
- TOR communication and TOR Proxy Server for delivering the C&C URL.
- Enabling SOCKS Proxy to redirect device’s traffic for inspection.
- Disabling Play Protect – an inbuilt Android security feature.
The code used to enable SOCKS Proxy is shown below.
Cyble Research Labs has observed that the TA is spreading another malware variant through the same IP. Upon analysis, we observed that the malware is also posing as a CommerzBank mobile app, and we found that the fake app is a variant of HQwar malware.
Conclusion
Recently, we have observed an increase in Android Banking Trojans being distributed through various campaigns. We have covered several such campaigns in our Cyble Research Lab blogs. This new variant of Hydra malware is the latest among the trojans spreading through phishing campaigns.
We have also observed that the malware authors of Hydra are incorporating new technology to steal information and money from its victims. Alongside these features, the recent trojans have incorporated sophisticated features. We observed the new variants have TeamViewer or VNC functionality and TOR for communication, which shows that TAs are enhancing their TTPs.
Based on this pattern that we have observed, malware authors are constantly adding new features to the banking trojans to evade detection by security software and to entice cybercriminals to buy the malware. To protect themselves from these threats, users should only install applications from the official Google Play Store.
Our Recommendations
We have listed some of the essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- If you find this malware in your device, uninstall using adb uninstall or perform a factory reset.
- Use shared IoCs to monitor and block malware infection.
- Keep your anti-virus software updated to detect and remove malicious software.
- Keep your Operating System and applications updated to the latest versions.
- Use strong passwords and enable two-factor authentication.
- Download and install software only from registered app stores.
MITRE ATT&CK® Techniques
Tactic | Technique ID | Technique Name |
Defense Evasion | T1406 | Obfuscated Files or Information |
Defense Evasion | T1444 | Masquerade as Legitimate Application |
Defense Evasion | T1523 | Evade Analysis Environment |
Credential Access | T1412 | Capture SMS Messages |
T1409 | Access Stored Application Data | |
Discovery | T1421 | System Network Connections Discovery |
Discovery | T1418 | Application Discovery |
Discovery | T1016 | System Network Configuration Discovery |
Discovery | T1424 | Process Discovery |
Collection | T1507 | Network Information Discovery |
Collection | T1412 | Capture SMS Messages |
Collection | T1432 | Access Contact List |
Collection | T1513 | Screen Capture |
Command and Control | T1571 | Non-Standard Port |
Command and Control | T1573 | Encrypted Channel |
Command and Control | T1090 | Proxy |
Command and Control | T1090.003 | Multi-hop Proxy |
Impact | T1447 | Delete Device Data |
Impact | T1448 | Carrier Billing Fraud |
Indicators Of Compromise (IoCs):
Indicators | Indicator type | Description |
5e9f31ecca447ff0fa9ea0d1245c938dcd4191b6944f161e35a0d27aa41b102f | SHA256 | Hash of the Hydra sample1 |
55af70f1d700bb8f18c425c5cf57837d7b552d81e5ca33796d01c6a116b8f72f | SHA256 | Hash of the Hydra sample2 |
1999431a84f10eea1ea0fcae0413ee7346d8c6f70d59451d0d88eba8b7a1d1e4 | SHA256 | Hash of the Hqwar sample |
91.214.124[.]225 | IP | IP where the Phishing pages are hosted and used to spread trojans |
hxxp://db4z37rzfrhgaazp[.]onion/api/mirrors | URL | TOR Proxy server URL |
hxxps://hastztafc66[.]xyz | URL | C&C URL |
To read the original article: