Security News > 2021 > October > Hydra malware targets customers of Germany's second largest bank
MalwareHunterTeam has spotted the two-year-old malware in a new distribution campaign that targets German users with a malicious APK named 'Commerzbank Security' and using the same icon as the official app.
Cyble has found that the Hydra-laced app requests 21 permissions, most notably the 'BIND-ACCESSIBILITY PERMISSION' and 'BIND DEVICE ADMIN,' two extremely risky permissions.
Permission Name Description CHANGE WIFI STATE Modify Device's Wi-Fi settings READ CONTACTS Access to phone contacts READ EXTERNAL STORAGE Access device external storage WRITE EXTERNAL STORAGE Modify device external storage READ PHONE STATE Access phone state and information CALL PHONE Perform call without user intervention READ SMS Access user's SMSs stored in the device REQUEST INSTALL PACKAGES Install applications without user interaction SEND SMS Allows the app to send SMS messages SYSTEM ALERT WINDOW Allows the display of system alerts over other apps.
These permissions can be abused to access SMS content, send SMSs, display system alerts, modify device settings, perform calls, write and read external storage, modify WiFi settings, install additional apps, and more.
None of these activities requires interaction by the victimized user, so once the malware has infected the device, it's already too late.
The fake Commerzbank app sends bulk SMS to the victim's contact list, creates overlays on other apps, screencasts the device screen back to the actor's system, hides its icon, and steals OTPs as well as the screen lock PIN. A notable new feature is the incorporation of TeamViewer relying on the abuse of the Accessibility service, which has not been documented in previous Hydra variants.