New variant of the banking Trojan Hydra targets European (Commerzbank) users

Sicherheit (Pexels, allgemeine Nutzung)[German]At the end of September 2021, security provider Cyble published an alert. Its security team have discovered a new variant of the Hydra banking Trojan that is specifically targeting European users. Commerzbank customers seem to be one of these targets, as they are being phished with a Trojan disguised as a Commerzbank app for Android.


Especially in times of the COVID 19 pandemic, people are forced to make increased use of online services. Banking transactions can easily be conducted online. However, cybercriminals also know this and see it as an opportunity to target users. Recently, security researchers have noticed an increase in Android banking Trojans that are distributed via various campaigns.

The Hydra banking Trojan

Recently, Cyble security researchers have come across several scenarios where cyber fraudsters are targeting bank customers. The tweet below from the malware hunter team caught the researchers' attention.

Trojaner Hydra für Commerzbank

There, an alleged Commerzbank app is offered for download on an ominous domain – although there are other similar-sounding domains with the scheme The whole thing was accompanied by a phishing campaign targeting Commerzbank and linking to the Trojan's download pages. Commerzbank Aktiengesellschaft, headquartered in Frankfurt am Main, does indeed have a larger customer base.

In the above tweet, the Malware Hunter team researcher mentioned that the Android malware spreads via a page that claims to be an official Commerzbank site. It is also highlighted that the threat actor(s) (TA) has registered multiple domains on the same IP and the fake website spreads malicious apps posing as CommerzBank app.


Security researchers Cyble have collected and thoroughly analyzed samples of the Android APK apps from this phishing campaign. Based on this analysis, it can be determined that the malware spread as an Android app is a variant of Hydra. This is an Android banking bot that was first detected in early 2019.

The latest analysis also revealed that Hydra has evolved beyond the standard behavior of banking Trojans, such as creating an overlay to steal credentials. The Trojan now includes TeamViewer features, similar to the S.O.V.A. malware. In addition, the Trojan uses various encryption techniques to evade detection and relies on the Tor network to obfuscate communications.

The Cyble research team also found that the attackers also distributed variants of the HQwar banking Trojan posing as Commerzbank mobile apps. When launching the fake app, the Hydra malware first prompts the user to activate the access permission. Once this permission is enabled, the malware activates other permissions such as device management permission, contact permission, etc. It has also been observed that the malware hides the app's icon on the Android home screen after launch.

The malware also checks whether the execution environment is an emulator or a real Android device by performing various checks. On Android devices, the Hydra malware abuses the accessibility features to perform several malicious activities:

  • Collect user input and user interaction on the device screen
  • Enabling all permissions without user interaction
  • Restricting the user's ability to change the malware's functions via the Android Settings app
  • Running TeamViewer functions using screencast APIs and Accessibility Service
  • Stealing the PIN for the device's lock screen when the user unlocks it
  • Injecting values into user input fields

During the analysis, the security researchers also found that Hydra uses TeamViewer functionality by abusing the Accessibility Service. Then, the attacker can view the Android device's screen and track all activities. Details can be read in the Cyble blog post.

The recommendation for people who do online banking: Don't use any touted banking apps for smartphones, that is a security nightmare. Be careful not to fall for phishing emails and download and install anything linked to them on your devices.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Software and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *