Hydra¶
Hydra is one of the longest-running Android banking trojan operations, active since 2019 and still operational through an affiliate-based MaaS model. Originally tracked as BianLian (unrelated to the BianLian ransomware group), Hydra combines overlay injection, full Accessibility Service abuse, screen streaming with remote interaction, and on-device fraud capabilities. Its operators rent infrastructure to multiple threat actor groups, making it one of the most broadly deployed mobile banking threats in terms of active affiliates. ThreatFabric reported it as the most prolific Android banking trojan of 2022.
Overview¶
| Property | Value |
|---|---|
| First Seen | Early 2019 (dropper component active since 2018 as BianLian) |
| Last Seen / Status | Active, MaaS operation ongoing |
| Type | Banking trojan, RAT, on-device fraud |
| Attribution | Russian-speaking operators; rented to affiliates via underground forums |
| Aliases | BianLian (ThreatFabric's original name), Android/BianLian |
Origin and Lineage¶
ThreatFabric coined the name BianLian, referencing the Chinese theatrical art of rapidly swapping face masks, to describe a dropper family that first appeared in 2018. The dropper masqueraded as utility apps (currency calculators, device cleaners, discount apps) and initially served as a delivery mechanism for other banking trojans, including Anubis.
The operators then developed their own banking trojan payload, building on experience gained from distributing other families. This payload became known as Hydra. The relationship between BianLian (the dropper) and Hydra (the banking payload) is tightly coupled: BianLian droppers deliver Hydra payloads, and the same operator group manages both components.
Hydra shares some design patterns with the broader BankBot/Anubis lineage. Malpedia notes that BianLian/Hydra shares roots with Anubis and BankBot, though the codebase has diverged substantially through years of independent development.
Distribution¶
Hydra distribution relies on a multi-layered dropper pipeline:
Google Play droppers: BianLian droppers have repeatedly reached Google Play, disguised as functional apps with legitimate ratings. ThreatFabric documented how the operators maintained a steady upload cadence, replacing removed apps with new variants. The apps delivered working functionality to maintain user trust and store ratings.
Fake app stores and phishing: Cyble identified campaigns distributing Hydra through fake document manager apps. Other campaigns impersonate Google Chrome or Google Play Store to trick users into side-loading the payload.
Affiliate-driven distribution: As a MaaS operation, Hydra's distribution varies by affiliate. Each renter configures their own target list, overlay set, and distribution method. Bridewell identified affiliates purchasing webinjects from the "InTheBox" marketplace on dark web forums, then deploying them through rented Hydra infrastructure.
Capabilities¶
Core Feature Set¶
| Capability | Implementation |
|---|---|
| Overlay injection | Fetches target list and injection ZIP from C2; displays phishing WebView over targeted banking/crypto apps |
| Accessibility keylogging | Monitors all AccessibilityEvent types, capturing TextField changes and button clicks |
| Screen streaming | Uses Screencast APIs to stream device display to C2 in real-time |
| Remote interaction | Receives commands from C2 translated to Accessibility actions (clicks, text input, gestures) |
| On-device fraud | Combines screen streaming and remote interaction for full device takeover without leaving the victim's device/IP |
| PIN theft | Captures lock screen PIN during user unlock via Accessibility monitoring |
| SMS interception | Reads, intercepts, and hides incoming SMS for OTP theft |
| Session cookie theft | Extracts browser session cookies to hijack authenticated sessions |
| SOCKS5 proxy | Routes traffic through infected device, allowing operators to appear as the victim's IP |
| Google Play Protect disable | Uses Accessibility to navigate settings and turn off Play Protect |
| Notification suppression | Hides notifications from banking apps to prevent victim awareness during fraud |
Version Evolution¶
| Period | Key Additions |
|---|---|
| 2018 | BianLian dropper: functional app facade, Accessibility-based silent install, delivery of third-party payloads |
| 2019 | Hydra payload: overlay injection, SMS interception, basic remote access |
| 2020-2021 | Screen streaming via Screencast APIs, TeamViewer-like remote control, SOCKS5 proxy |
| 2022 | Session cookie theft, expanded on-device fraud, TOR-based C2 resolution, DGA domains |
| 2023+ | Continued affiliate expansion, updated webinject marketplace integration |
Technical Details¶
C2 Communication¶
Hydra uses a layered C2 resolution approach that has evolved over time:
TOR-based resolution: Recent variants include a hardcoded .onion URL pointing to /api/mirrors. The malware downloads TOR native libraries, connects to the TOR network, and retrieves a Base64-encoded JSON containing the active C2 server list. Cyble's analysis confirmed this TOR communication pattern.
GitHub fallback: Some variants use a GitHub repository containing a Base64-encoded JSON object with C2 server addresses as an alternative to TOR resolution.
DGA domains: Bridewell identified multiple DGA-generated domains used for fast-flux C2 infrastructure, providing redundancy and complicating takedowns. Their research identified 28 active C2 servers across a single campaign.
Infrastructure location: NCC Group's research found that a significant number of C2 servers are hosted in the Netherlands, departing from the typical Russian/Chinese hosting patterns common in mobile malware.
Overlay Injection Flow¶
- Bot registers with C2, sending device metadata and installed app list
- C2 responds with a target application list and a URL pointing to a ZIP file containing HTML overlay templates (injections)
- Bot monitors Accessibility events for targeted apps entering the foreground
- When a target is detected, the corresponding injection HTML is loaded in a WebView overlay
- Credentials entered into the overlay are exfiltrated to the C2
The injection templates are sourced from underground marketplaces like "InTheBox," where webinjects for specific banking apps are sold individually or in bundles.
Screen Streaming and Remote Control¶
Hydra's on-device fraud capability works through a two-channel system:
- Outbound: Device screen is captured via Android Screencast APIs and streamed to the C2
- Inbound: The operator sends interaction commands (tap coordinates, text input, swipe gestures) that Hydra translates into Accessibility actions on the device
This creates a TeamViewer-like remote control session. Because the fraud occurs on the victim's device using their IP address and device fingerprint, it bypasses antifraud systems that rely on device/IP binding.
Persistence¶
Hydra requests Accessibility Service and Device Admin privileges. It suppresses notifications from security apps, disables Google Play Protect, and monitors for attempts to revoke its permissions, re-requesting them if removed.
Target Regions and Financial Institutions¶
Hydra's affiliate model means targeting varies significantly by operator. Observed concentrations include:
| Region | Focus |
|---|---|
| Turkey | Historically the primary target region; Turkish banking apps consistently present in target lists |
| Germany | Bleeping Computer reported campaigns targeting Commerzbank (Germany's second-largest bank) |
| Spain | Bridewell documented a 2023 campaign focused on Spanish banking apps |
| Latin America | Same Bridewell research identified Latin American banking targets |
| Broader Europe | Austria, Italy, France, Netherlands, Poland, and other EU banking apps |
| Cryptocurrency | Wallet and exchange apps consistently present across affiliate target lists |
Notable Campaigns¶
2018-2019, BianLian dropper-as-a-service: ThreatFabric tracked BianLian's evolution from a simple dropper delivering Anubis payloads to a full-featured dropper service with its own banking trojan. The operators maintained persistent Google Play presence through rapid app replacement.
2021, German banking campaign: Bleeping Computer reported a Hydra campaign specifically targeting Commerzbank customers, distributing a fake app that mimicked the bank's official Android application.
2022, most prolific banking trojan: ThreatFabric's H1 2022 landscape report identified Hydra as the most active Android banking trojan by volume, surpassing FluBot (prior to its law enforcement takedown in May 2022), SharkBot, and TeaBot.
Late 2022, European expansion with TOR C2: Cyble analyzed new Hydra variants incorporating TOR communication, SOCKS proxy, and Play Protect disabling. The campaign focused on European banking users with updated webinjects.
January 2023, Spain and Latin America campaign: Bridewell identified a campaign distributing Hydra samples impersonating Google Chrome and Google Play Store. The research uncovered 28 C2 servers and DGA domain usage, with webinjects sourced from the InTheBox marketplace.
February 2023, NCC Group technical deep-dive: NCC Group published a detailed technical analysis (also published via Fox-IT) covering Hydra's credential theft mechanisms, C2 infrastructure patterns, and overlay injection workflow.