{
	"id": "ac7d5f71-3f41-44d5-b249-c3ad2bffcc90",
	"created_at": "2026-04-06T00:13:59.545673Z",
	"updated_at": "2026-04-10T13:12:54.346187Z",
	"deleted_at": null,
	"sha1_hash": "78b61d1424d8c1c018b6e980e449399c969a55d4",
	"title": "Cyble - Fake Document Manager App Downloading Hydra Banking Trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1307202,
	"plain_text": "Cyble - Fake Document Manager App Downloading Hydra Banking\r\nTrojan\r\nPublished: 2022-06-13 · Archived: 2026-04-05 20:10:46 UTC\r\nCyble analyzes a resurfaced version of Hydra malware distributed via a fake Document Manager app on the Play Store.\r\nDuring our routine threat hunting exercise, Cyble Research Labs came across a Twitter Post wherein the researcher\r\nmentioned an Android malware variant published on the Play Store. The variant in question acts as a Hostile Downloader\r\nand downloads the Hydra Banking Trojan.\r\nThe downloaded app has the same functionality as recently encountered Hydra variants targeting Columbia. Hydra Android\r\nBanking Trojan was discovered in early 2019; since then, it has frequently changed its distribution campaign.\r\nThe malware currently pretends to be the Document Manager app and has gained over 10,000 downloads in a short period.\r\nAccording to the Play Store statistics, the app was updated on May 30, 2022, and released on June 3, 2022.\r\nWorld's Best AI-Native Threat Intelligence\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 1 of 8\n\nFigure 1 – Hostile Downloader app published on Play Store\r\nTechnical Analysis   \r\nAPK Metadata Information   \r\nApp Name: Document Manager \r\nPackage Name: com.anatolijserba.docscanner    \r\nSHA256 Hash: 70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235\r\nFigure 2 shows the metadata information of an application.  \r\nFigure 2 – App Metadata Information \r\nManifest Description  \r\nThe malicious application mentions six permissions, of which the Threat Actor (TA) exploits one. The harmful permission\r\nrequested by the malware is:  \r\nPermission    Description  \r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 2 of 8\n\nREQUEST_INSTALL_PACKAGES  Allows an application to request installing packages\r\nSource Code Review  \r\nUpon installation, the malware shows a fake update dialogue box that tricks the user into granting permission to download\r\nHydra malware from an unknown source.\r\nThe below figure shows the execution flow of the malware after installation, where the following events occur:\r\nThe application is installed\r\nThe victim is prompted with a fake update dialog box\r\nThe application requests permission to download further applications from unknown sources\r\nThe malicious application is downloaded\r\nThe application prompts the victim for Accessibility Services access\r\nFigure 3 – Malware execution flow\r\nThe below image showcases the malware communication to the TA’s Command \u0026 Control (C\u0026C) server\r\n“hxxps://trackerpdfconnect[.]com/get_random_file“. After this, the Hostile Loader downloads the APK file named\r\n“doc_hy_0806_obf_3.apk,” – which is a variant of Hydra malware.\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 3 of 8\n\nFigure 4 – Downloading the malicious APK file\r\nThe TA’s C\u0026C admin panel also has a list of Hydra variant APK files, which are downloaded by the Hostile Downloader\r\napp during runtime. Our dynamic analysis indicates that the Hostile Downloader application chooses these hosted APK files\r\nseemingly at random.\r\nFigure 5 – Hydra malware present on the admin panel\r\nThe downloaded APK file “doc_hy_0806_obf_3.apk” is custom packed, which further drops a dex file “rfrNI.json” during\r\nexecution.\r\n The downloaded malware then performs standard Hydra Banking Trojan activities such as:\r\nCollecting contact and SMS details\r\nStealing Cookies\r\nInjecting crypto applications\r\nStealing OTPs, device lock PINs, etc\r\nAbusing Accessibility Service to prevent uninstallation\r\nInitiating TOR connection\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 4 of 8\n\nThe below code has been used to create a TOR connection that will receive the C\u0026C URL.\r\nFigure 6 – TOR Communication\r\nCyble Research Labs has analyzed the Hydra Android Banking trojan in the past, where we observed it targeting European\r\nbanking users. The malware hosted on the Play Store distributes the same Hydra variant, which can affect any Android user.\r\nOver the course of our research, we were able to gain access to the Threat Actor’s C\u0026C panel, which then gave us several\r\ninsights, such as metrics about the downloads and installation of the malicious applications.\r\nWe observed that the TA also collects the device ID, name, installation date, and status and stores them in the C\u0026C panel, as\r\nshown below.\r\nFigure 7 – C\u0026C Admin Panel\r\nConclusion \r\nRecently, we have observed increased Hydra malware activity. In April, the campaign started to target Columbia by\r\ndistributing the malware through various phishing sites. Interestingly, now the TA has opted for the Play Store as a medium\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 5 of 8\n\nfor distribution.\r\nTo avoid being detected, the TA has published the Hostile Downloader app, which will download the malware after\r\ninstallation. This is one of the ways that the TA can bypass the Play Store automation or Machine Learning techniques and\r\npublish the malware as it requires minimum permissions.\r\nThe TA has seemingly used this technique successfully as the malware gained over 10,000 downloads and affected several\r\nusers.   \r\nOur Recommendations \r\nWe have listed some essential cybersecurity best practices that create the first line of control against attackers. We\r\nrecommend that our readers follow the best practices given below:   \r\nHow to prevent malware infection? \r\nDownload and install software only from official app stores like Play Store or the iOS App Store. \r\nUse a reputed anti-virus and internet security software package on your connected devices, such as PCs, laptops, and\r\nmobile devices. \r\nUse strong passwords and enforce multi-factor authentication wherever possible. \r\nEnable biometric security features such as fingerprint or facial recognition for unlocking the mobile device where\r\npossible. \r\nBe wary of opening any links received via SMS or emails delivered to your phone. \r\nEnsure that Google Play Protect is enabled on Android devices. \r\nBe careful while enabling any permissions. \r\nKeep your devices, operating systems, and applications updated. \r\nHow to identify whether you are infected? \r\nRegularly check the Mobile/Wi-Fi data usage of applications installed on mobile devices. \r\nKeep an eye on the alerts provided by Anti-viruses and Android OS and take necessary actions accordingly. \r\nWhat to do when you are infected? \r\nDisable Wi-Fi/Mobile data and remove SIM card – as in some cases, the malware can re-enable the Mobile Data. \r\nPerform a factory reset. \r\nRemove the application in case a factory reset is not possible. \r\nTake a backup of personal media Files (excluding mobile applications) and perform a device reset. \r\nWhat to do in case of any fraudulent transaction? \r\nIn case of a fraudulent transaction, immediately report it to the concerned bank. \r\nWhat should banks do to protect their customers? \r\nBanks and other financial entities should educate customers on safeguarding themselves from malware attacks via\r\ntelephone, SMS, or emails. \r\nMITRE ATT\u0026CK® Techniques \r\nTactic  Technique ID  Technique Name \r\nInitial Access  T1415 Deliver Malicious App via Authorised App Store\r\nInitial Access  T1444  Masquerade as Legitimate Application \r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 6 of 8\n\nDefense Evasion  T1406  Obfuscated Files or Information \r\nCredential Access  T1412  Capture SMS Messages \r\nDiscovery  T1421    System Network Connections Discovery \r\nCommand and Control  T1571  Non-Standard Port \r\nCommand and Control  T1573  Encrypted Channel \r\nImpact  T1447  Deleting Device Data \r\nCredential Access  T1409  Access Stored Application Data \r\nIndicators of Compromise (IOCs) \r\nIndicators\r\nIndicator\r\nType\r\nDescript\r\n70b9e0094ccb6a3e47bcb6fe66946dea4c233b5a6e9d7c5de29bfd852666a235 SHA256\r\nHash of t\r\nHostile\r\nDownloa\r\nAPk file\r\n3a1bcdb56fa736d25221e5a9ded91172ff96e0e5 SHA1\r\nHash of t\r\nHostile\r\nDownloa\r\nAPk file\r\ndc4a4995535d628102ef4f286b867e49 MD5\r\nHash of t\r\nHostile\r\nDownloa\r\nAPk file\r\nhxxps://trackerpdfconnect[.]com URL\r\nHydra\r\nDownloa\r\nURL\r\nc7300e6de3d9c6f1ad622a1e884f00d43340c381fb87c87514ef3ca2156fdf5b SHA256\r\nHash of t\r\nHydra\r\nmalware\r\n4155c71ee1e03cefe5b67bc89c2235266327baa4 SHA1\r\nHash of t\r\nHydra\r\nmalware\r\n116fea8c63bce4908ec1307e20ed96ba MD5\r\nHash of t\r\nHydra\r\nmalware\r\nhxxp://newdb5ge5dz5schqawxsxuomspxsyb5xqk65v4j2fdeynds4vsgstrad[.]onion/api/mirrors URL\r\nTOR pro\r\nserver\r\nhxxp://servservfreeupdate[.]top URL C\u0026C ser\r\nhxxp://wayneconnectingservice[.]hk URL C\u0026C ser\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 7 of 8\n\nhxxp://allupdatesecuretynow[.]com URL C\u0026C ser\r\nSource: https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nhttps://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.cyble.com/2022/06/13/hydra-android-malware-distributed-via-play-store/"
	],
	"report_names": [
		"hydra-android-malware-distributed-via-play-store"
	],
	"threat_actors": [
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		}
	],
	"ts_created_at": 1775434439,
	"ts_updated_at": 1775826774,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/78b61d1424d8c1c018b6e980e449399c969a55d4.pdf",
		"text": "https://archive.orkl.eu/78b61d1424d8c1c018b6e980e449399c969a55d4.txt",
		"img": "https://archive.orkl.eu/78b61d1424d8c1c018b6e980e449399c969a55d4.jpg"
	}
}