Hydra, the two-year-old banking trojan, is active again and targeting European banks.

Experts revealed that hackers are targeting users of top European banks.The Android malware is spreading through a page posing as the official CommerzBank page and hosting a malicious app for the bank. Attackers use TeamViewer, VNC functionality, and TOR for communication in this strain, implying that they are improving their TTPs.

The malware uses different encryption methods to avoid detection, along with the use of Tor for communication. It disables the Android security feature Play Protect. Attackers are taking  advantage of Accessibility Services to monitor all activities of device. The malware requests for two Accessibility Service related permissions BIND_ACCESSIBILITY_PERMISSION and BIND_DEVICE_ADMIN.

The BIND_ACCESSIBILITY_SERVICE permission allows the app to access the Accessibility Service.The BIND_DEVICE_ADMIN permission allows fake apps to get admin privileges on the compromised device. It can abuse the permission to lock the device and modify/reset screen lock PIN, among others.

Hydra’s recent activities come with few advanced features that make it more lethal. Currently, it is targeting entities in Germany, however, this could easily change in the near future. Therefore, users are recommended to stay cautious and avoid downloading apps from third parties or beware of suspicious texts and emails.