Hydra, the two-year-old banking trojan, is active again and targeting European banks.

What's new?

The new variant of Hydra was reported by MalwareHunterTeam. 
  • Experts revealed that hackers are targeting users of top European banks, specifically the CommerzBank of Germany. 
  • The Android malware is spreading through a page posing as the official CommerzBank page and hosting a malicious app for the bank.
  • Attackers use TeamViewer, VNC functionality, and TOR for communication in this strain, implying that they are improving their TTPs.

Inspecting the new variant

  • The malware uses different encryption methods to avoid detection, along with the use of Tor for communication. 
  • It disables the Android security feature Play Protect.
  • Further, attackers are taking advantage of Accessibility Services to monitor all activities of the device’s screen. For example, they can intercept credentials logins by users.

Accessibility Services, in fact, are used by various threat actors to gain access to target devices. But what type of services is Hydra leveraging?

Diving into Hydra’s techniques

Researchers stated that the malware requests for two Accessibility Service-related permissions — BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.
  • The BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.
  • The BIND_DEVICE_ADMIN permission allows fake apps to get admin privileges on the compromised device. It can abuse the permission to lock the device and modify/reset screen lock PIN, among others.


Hydra’s recent activities come with few advanced features that make it more lethal. Currently, it is targeting entities in Germany, however, this could easily change in the near future. Therefore, users are recommended to stay cautious and avoid downloading apps from third parties or beware of suspicious texts and emails.

Cyware Publisher