Our 24x7 comprehensive monitoring of the Digital Underground can help you transform your information security and anti-fraud operations from reactive to proactive.

orange arrow

Hydra: The regenerating Mobile Malware Service

intro image

Written by Neal Hopton

What is Hydra?

Hydra is a mobile Malware-as-a-Service increasingly popular among cybercriminals. Hydra is one of the leading mobile malware variants currently available for threat actors looking to execute Android mobile malware campaigns, along with other malware families such as Alien, Cerberus, and Anubis. Hydra is likely the smallest of the group, and certainly lags behind its peers in terms of online marketing presence. It has, however, established quite a name for itself as a reliable, go-to service for threat actors aiming to build android malware campaigns, by producing solid results for customers and undercutting the price points of its competitors.

Hydra Malware
An active Hydra android campaign, as seen from the admin panel

Most Hydra purchases begin with a purchase order at Hydra’s chat service of choice, Telegram. A prospective buyer contacts the telegram username nicknamed “Pablo Same”, and requests use of the service. Pablo Same then responds with a brief overview of Hydra’s features and the listed price. Once paid, the developer then instructs the buyer to supply their own server and hosted domain on which the admin panel may be accessed.

Hydra Malware
Hydra's exploit[.]in user exchanging contact information with a potential customer

Once the buyer has established a server and chosen a domain on which to host the malware admin panel, Pablo Same receives the server credentials from the buyer and associates this domain with the service plan purchased. Pablo Same claims that Hydra operators do not need to be concerned about their domain being flagged for malicious activity; should this occur, the buyer can simply switch to a new domain and restart the service.

Hydra’s admin panel features and functionality are similar to those of other mobile malware families. Via the admin panel, a threat actor may interact with victim phones in order to perform various malicious activities such as sending texts, interacting with apps, sending commands to the phone’s OS, taking screenshots, etc. Many threat actors are seeking to steal bank account credentials and information for purposes of financial fraud, a task which Hydra also handles quite well.

Hydra Malware
A Hydra customer using the panel's filter options to display only bots that contain banking credentials

Price Points and Marketing Troubles

The pricing for Hydra is simply at $1,700 per month. This price is lower than other, more well-known android mobile services such as Alien. Alien is priced at $2,000 a month, and as one of the largest and most recognized android mobile malware services, Alien is in high demand. For Hydra to come in at a 15% discount to Alien suggests an attempt to undercut the more established players, while remaining at a close enough price point to be taken seriously by potential buyers. The strategy appears to have worked well for the Hydra team, though recent blunders may well cut into the progress made so far.

Hydra’s main account on one of the foremost Russian cybercriminal forums “Verified” was lost as of August 2021. The Verified account, under the moniker “trafimer”, was engaged in a monetary dispute with another member of that forum and after arbitration, was found liable for stolen funds, labeled a “ripper” (i.e., scammer), and was banned from the forum. The ban is black mark on what has otherwise been a fairly smooth operation by the Hydra team. Nevertheless, with Hydra’s account still quite active on exploit[.]in, operations seem to be going well. Assuming Hydra has learned from this mistake, it is likely to remain a staple of the android mobile malware ecosystem.

Hydra Malware
Trafimer labeled a "ripper", or scammer, on the cybercriminal forum Verified

Don't forget

to Visit

Our Solutions

About the Author

Neal Hopton is a Senior Analyst at Q6 Cyber. Leveraging extensive cybersecurity experience and multilingual fluency, he focuses on threat intelligence triaging, collection, and analysis.