Add Hydra malware family analysis report

[pulorsok]

New Quark Rules For Hydra

New Quark rule (#263) is now available. This rule targets Hydra, a banking trojan family that intercepts SMS messages to capture OTPs, performs overlay attacks to steal banking credentials, communicates with C2 servers for remote control, and collects device fingerprints for tracking. Check here for the rule details.

With this rule, Quark is now able to identify the Hydra malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check here for the APKs we tested.

Below is a summary report of a Hydra sample (3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.

Identified Well-Known Threats

With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from Hydra, as shown below.

1. Intercept SMS messages to capture OTPs and banking codes

The behavior map shows that the Lcom/payu/custombrowser/PayUCBLifecycle$7;onReceive function reads SMS messages from PDU format, queries the phone number from the SMS sender, and retrieves data from the broadcast. This behavior is commonly used by banking trojans to intercept one-time passwords (OTPs) sent via SMS.

Behaviors detected by Quark:

• Read SMS message from PDU
• Query the phone number from SMS sender
• Retrieve data from broadcast

2. Overlay attacks to deceive users into revealing sensitive information

The behavior map shows that the Lcom/mopub/mobileads/BaseWebView;clearWebViewDeadlock function retrieves the application context and adds a view to the window manager. By adding a view through the WindowManager, the APK can display an overlay window on top of other applications, potentially mimicking a legitimate banking app to steal user credentials.

Behaviors detected by Quark:

• Retrieve the application context and add a view to the window manager

3. Communicate with C2 servers for remote control

The behavior map shows that the Lcom/ufotosoft/ad/utils/CachedBitmapFactory;decodeBitmapHTTP function calls Lcom/ufotosoft/ad/utils/HttpUtil;decodeBitmapHttp, which connects to a remote server through a given URL and reads the input stream. This behavior is commonly used for C2 communication, allowing attackers to send commands and receive stolen data.

Behaviors detected by Quark:

• Connect to the remote server through the given URL
• Read the input stream from given URL
• Connect to a URL and get the response code
• Connect to a URL and receive input stream from the server
• Connect to a URL and read data from it

4. Collect device fingerprints for tracking

The behavior map shows two functions collecting device identifiers. The Lcom/douban/amonsul/device/DeviceInfo;initPhoneInfo function queries the IMEI number, IMSI number, and the network operator name. The Lcom/alipay/sdk/util/a;<init> function queries the IMEI number, IMSI number, and WiFi information including the MAC address. These identifiers can be used to uniquely identify and track infected devices.

Behaviors detected by Quark:

• Query the IMEI number
• Query the IMSI number
• Get the network operator name and IMSI
• Get the network operator name
• Get the current WIFI information
• Query WiFi information and WiFi Mac Address
• Get the current WiFi MAC address

5. Detect foreground applications to trigger overlay attacks

The behavior map shows a transitive call chain: Lcom/igexin/push/extension/distribution/basic/a/a;a and Lcom/igexin/push/extension/distribution/basic/a/a;b both call a intermediate function that uses reflection and dynamic class loading, which in turn calls Lcom/igexin/push/extension/distribution/basic/j/c;b to check the list of currently running applications. This is a prerequisite behavior for overlay attacks — when a targeted banking app is detected in the foreground, the malware triggers the overlay to display a phishing screen.

Behaviors detected by Quark:

• Check the list of currently running applications
• Instantiate new object using reflection, possibly used for dexClassLoader
• Initialize class object dynamically
• Start a background service
• Send notification
• Method reflection

6. Inject JavaScript into WebView for credential harvesting

The behavior map shows that the Lcom/payu/sdk/ProcessPaymentActivity;onCreate function allows a website to access internal methods and retrieves data from a broadcast. By injecting a JavaScript interface into a WebView, the malware can interact with web content displayed in the WebView, potentially modifying banking pages or extracting form data entered by users.

Behaviors detected by Quark:

• Allow website to access internal methods
• Retrieve data from broadcast

List of Tested APKs

The table below lists the APKs we tested.

index	sha256
1	2d0b157e27359bc36c31e3c3ef891964bc98b2cb66c4f95c2ffc4af7d3477e30
2	3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848
3	49bca7195e05926210f7dffe4289f6b30372db9de7af72bc6a4802cb477e5729
4	5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de
5	6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b
6	74f3a191e941c68bbc7bf87515a12ae547e79eba4d9ffd5c2799a9c44b77dc2d
7	91126eea4f088df8a38667eff9f0fd8b6d49a58b919e8cfd242612a44d702b40
8	a2c91743a0834cd1fb63c6965c581e1f5a57f1d2fcb226985423894ac814c93a
9	c08903e2be8737c3fbea2293c6a1a5242afe58e6e90a3da45724a1dae7c88a25
10	c2ef244e7a1980880aeb212672705e877851b9cc054e023015dd748c8e69ab38
11	d5a63c4ace387cff8d641ad9aeedf9e406684b0f3bdcfc79e97de80eef177bee
12	e51f32dbe18d52eafe2ac65f77f84450fd279fecd0278b0df95ce654017dddd2
13	e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87
14	ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82
15	f6da0d9f1d74f2f80cd4d69183a78ccc1b3679689419262c9704787cea754726
16	faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e
17	fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b
18	fe9cfc5046c583a7b28fa506cd33e636d27310b14240247625c693444a27336f

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.31%. Comparing base (94c0d0e) to head (9cc2b9b).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #892   +/-   ##
=======================================
  Coverage   81.31%   81.31%           
=======================================
  Files          80       80           
  Lines        6946     6946           
=======================================
  Hits         5648     5648           
  Misses       1298     1298           

Flag	Coverage Δ
unittests	81.31% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[haeter525]

LGTM. Thank @pulorsok .