Skip to content

Add Hydra malware family analysis report #892

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
haeter525 merged 4 commits into from
Mar 27, 2026
Merged

Add Hydra malware family analysis report #892

Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b9e8033
Introduce Quark rule for detecting Hydra malware
pulorsok Mar 25, 2026
9a3d4ec
Fix image URLs in malware_report.rst
pulorsok Mar 26, 2026
d1b7d92
update Hydra report
pulorsok Mar 27, 2026
9cc2b9b
Remove HTML entity references from malware report
pulorsok Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
189 changes: 182 additions & 7 deletions docs/source/malware_report.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ Below is a summary report of a DroidKungFu sample (``D277C97B1A8A78F859672B4A20E
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's :ref:`rule classification <rule-classification>` feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from DroidKungFu, as shown below.

**1. Gain unlimited access to a device**

Expand Down Expand Up @@ -656,7 +656,7 @@ Below is a summary report of a GoldDream sample (``ECA3A3666B0FD72028431431E7FAE
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's :ref:`rule classification <rule-classification>` feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 2 well-known threats from GoldDream, as shown below.

**1. Monitor SMS messages and phone calls**

Expand Down Expand Up @@ -756,7 +756,7 @@ Below is a summary report of a SpyNote sample (\ ``0713a683567125ea6fdff233cfa85
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from SpyNote, as shown below.

**1. Take screenshots**

Expand Down Expand Up @@ -871,7 +871,7 @@ Below is a summary report of a DawDropper sample (\ ``a1298cc00605c79679f72b22d5
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify two well-known threats from DawDropper, as shown below.

**1. Download APKs from remote servers**

Expand Down Expand Up @@ -956,7 +956,7 @@ Below is a summary report of a SLocker sample (\ ``570e2811e8c87f714eb3485c271ec
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 1 well-known threat from SLocker, as shown below.

**1. Lock the device with an overlay screen**

Expand Down Expand Up @@ -1027,7 +1027,7 @@ Below is a summary report of a PhantomCard sample (\ ``5769ae3cc93943dda4d1743f2
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 3 well-known threats from PhantomCard, as shown below.

**1. Communicate with C2 servers**

Expand Down Expand Up @@ -1128,7 +1128,7 @@ Below is a summary report of a ToxicPanda sample (\ ``12d94320a25c1496ae3c7d326e
Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's `rule classification <https://quark-engine.readthedocs.io/en/latest/quark_reports.html#rule-classification>`_ feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from ToxicPanda, as shown below.
With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 4 well-known threats from ToxicPanda, as shown below.

**1. Steal financial data via deceptive overlays**

Expand Down Expand Up @@ -1224,3 +1224,178 @@ The table below lists the APKs we tested.
- d40e45359546cb801887a38d4adb397327ce4bf0a166192f5f72165471fff10d
* - 7
- fde931224d2e558e67ac8c9c0c1d0aac4f7562622a67870d6c3024bdeb851676


New Quark Rules For Hydra
=========================

New Quark rule (#00263) is now available. This rule targets `Hydra <https://www.threatfabric.com/blogs/the-rage-of-android-banking-trojans>`_, a banking trojan family that intercepts SMS messages to capture OTPs, performs overlay attacks to steal banking credentials, communicates with C2 servers for remote control, and collects device fingerprints for tracking. Check `here <https://github.com/ev-flow/quark-rules>`_ for the rule details.

With this rule, Quark is now able to identify the Hydra malware family as high-risk. In our experiment, Quark achieved 100% accuracy and 100% precision. Please check :ref:`here <list-of-tested-apks-hydra>` for the APKs we tested.

Below is a summary report of a Hydra sample (``3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848``). The report shows that Quark identified the sample as high-risk, with a list of behaviors as evidence.

.. image:: https://i.postimg.cc/nL9G8Ypg/jie-tu-2026-03-25-xia-wu6-05-19.png
:alt: Summary report screenshot 1

.. image:: https://i.postimg.cc/sxSdQ6ZC/jie-tu-2026-03-25-xia-wu6-05-25.png
:alt: Summary report screenshot 2

.. image:: https://i.postimg.cc/4xwC9hyF/jie-tu-2026-03-25-xia-wu6-05-41.png
:alt: Summary report screenshot 3

Identified Well-Known Threats
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

With Quark's rule classification feature, analysts can generate behavior maps and see how behaviors are related. This feature helps identify 6 well-known threats from Hydra, as shown below.

**1. Intercept SMS messages to capture OTPs and banking codes**


.. image:: https://i.postimg.cc/TYnyX5XK/jie-tu-2026-03-26-shang-wu11-44-46.png
:alt: SMS interception behavior map


The behavior map shows that the ``Lcom/payu/custombrowser/PayUCBLifecycle$7;onReceive`` function reads SMS messages from PDU format, queries the phone number from the SMS sender, and retrieves data from the broadcast. This behavior is commonly used by banking trojans to intercept one-time passwords (OTPs) sent via SMS.

Behaviors detected by Quark:


* Read SMS message from PDU
* Query the phone number from SMS sender
* Retrieve data from broadcast

**2. Overlay attacks to deceive users into revealing sensitive information**


.. image:: https://i.postimg.cc/vm03MHVr/jie-tu-2026-03-26-zhong-wu12-00-49.png
:alt: Overlay attack behavior map


The behavior map shows that the ``Lcom/mopub/mobileads/BaseWebView;clearWebViewDeadlock`` function retrieves the application context and adds a view to the window manager. By adding a view through the WindowManager, the APK can display an overlay window on top of other applications, potentially mimicking a legitimate banking app to steal user credentials.

Behaviors detected by Quark:


* Retrieve the application context and add a view to the window manager

**3. Communicate with C2 servers for remote control**


.. image:: https://i.postimg.cc/rFTWn2dt/jie-tu-2026-03-26-zhong-wu12-03-55.png
:alt: C2 communication behavior map


The behavior map shows that the ``Lcom/ufotosoft/ad/utils/CachedBitmapFactory;decodeBitmapHTTP`` function calls ``Lcom/ufotosoft/ad/utils/HttpUtil;decodeBitmapHttp``, which connects to a remote server through a given URL and reads the input stream. This behavior is commonly used for C2 communication, allowing attackers to send commands and receive stolen data.

Behaviors detected by Quark:


* Connect to the remote server through the given URL
* Read the input stream from given URL
* Connect to a URL and get the response code
* Connect to a URL and receive input stream from the server
* Connect to a URL and read data from it

**4. Collect device fingerprints for tracking**


.. image:: https://i.postimg.cc/CM9YSwC5/jie-tu-2026-03-26-zhong-wu12-12-39.png
:alt: Device fingerprinting behavior map


The behavior map shows two functions collecting device identifiers. The ``Lcom/douban/amonsul/device/DeviceInfo;initPhoneInfo`` function queries the IMEI number, IMSI number, and the network operator name. The ``Lcom/alipay/sdk/util/a;<init>`` function queries the IMEI number, IMSI number, and WiFi information including the MAC address. These identifiers can be used to uniquely identify and track infected devices.

Behaviors detected by Quark:


* Query the IMEI number
* Query the IMSI number
* Get the network operator name and IMSI
* Get the network operator name
* Get the current WIFI information
* Query WiFi information and WiFi Mac Address
* Get the current WiFi MAC address

**5. Detect foreground applications to trigger overlay attacks**


.. image:: https://i.postimg.cc/15xxbJPf/jie-tu-2026-03-26-zhong-wu12-13-56.png
:alt: Foreground detection behavior map


The behavior map shows a transitive call chain: ``Lcom/igexin/push/extension/distribution/basic/a/a;a`` and ``Lcom/igexin/push/extension/distribution/basic/a/a;b`` both call a intermediate function that uses reflection and dynamic class loading, which in turn calls ``Lcom/igexin/push/extension/distribution/basic/j/c;b`` to check the list of currently running applications. This is a prerequisite behavior for overlay attacks — when a targeted banking app is detected in the foreground, the malware triggers the overlay to display a phishing screen.

Behaviors detected by Quark:


* Check the list of currently running applications
* Instantiate new object using reflection, possibly used for dexClassLoader
* Initialize class object dynamically
* Start a background service
* Send notification
* Method reflection

**6. Inject JavaScript into WebView for credential harvesting**


.. image:: https://i.postimg.cc/sxdnHHW0/jie-tu-2026-03-26-zhong-wu12-18-11.png
:alt: WebView injection behavior map


The behavior map shows that the ``Lcom/payu/sdk/ProcessPaymentActivity;onCreate`` function allows a website to access internal methods and retrieves data from a broadcast. By injecting a JavaScript interface into a WebView, the malware can interact with web content displayed in the WebView, potentially modifying banking pages or extracting form data entered by users.

Behaviors detected by Quark:


* Allow website to access internal methods
* Retrieve data from broadcast

.. _list-of-tested-apks-hydra:

List of Tested APKs
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

The table below lists the APKs we tested.

.. list-table::
:header-rows: 1

* - index
- sha256
* - 1
- 2d0b157e27359bc36c31e3c3ef891964bc98b2cb66c4f95c2ffc4af7d3477e30
* - 2
- 3154684c4192a1ae7a00f9f61d3024e2d25a85508c512094a771f878c3130848
* - 3
- 49bca7195e05926210f7dffe4289f6b30372db9de7af72bc6a4802cb477e5729
* - 4
- 5c128cfee50059349b9b155c417e3950aaf292f4a9098e1b6748524e5fdfa6de
* - 5
- 6005f5569a6240c36f07de53438df1615ea6f000000fa5452d5a8870afe6336b
* - 6
- 74f3a191e941c68bbc7bf87515a12ae547e79eba4d9ffd5c2799a9c44b77dc2d
* - 7
- 91126eea4f088df8a38667eff9f0fd8b6d49a58b919e8cfd242612a44d702b40
* - 8
- a2c91743a0834cd1fb63c6965c581e1f5a57f1d2fcb226985423894ac814c93a
* - 9
- c08903e2be8737c3fbea2293c6a1a5242afe58e6e90a3da45724a1dae7c88a25
* - 10
- c2ef244e7a1980880aeb212672705e877851b9cc054e023015dd748c8e69ab38
* - 11
- d5a63c4ace387cff8d641ad9aeedf9e406684b0f3bdcfc79e97de80eef177bee
* - 12
- e51f32dbe18d52eafe2ac65f77f84450fd279fecd0278b0df95ce654017dddd2
* - 13
- e80cb43578f6a8b2ded95c8a2e86076f3661d60e2f18ebd1f094308e1d593c87
* - 14
- ea6058517e957895fbd3c26cac63013df3442ceea289123c7afd4bd0b24bea82
* - 15
- f6da0d9f1d74f2f80cd4d69183a78ccc1b3679689419262c9704787cea754726
* - 16
- faaf963fd84d0e7c86f8750115f5291f0692d0aca0f97e151cf4cc870a65d88e
* - 17
- fb34414b386d0d12c24d11bce56f087730afc3fbab1ee397182f5dd64183b53b
* - 18
- fe9cfc5046c583a7b28fa506cd33e636d27310b14240247625c693444a27336f
Loading