Earlier this week, Avast, the company behind the award-winning AV and antimalware solution, announced the discovery of a new WannaCry strain. Dubbed WannaHydra, the cybersecurity researchers revealed that the malware was engineered to install spyware, crack open banks, and to remotely access admin functions.
The latest WannaCry strain has already hit four major Brazilian banks and, from the looks of it, Android devices could also be vulnerable to this type of exploitation. Avast researchers observed that the recently deployed malware is constantly evolving, which makes it extremely dangerous and difficult to reverse-engineer.
WannaHydra – the bastard returning to claim WannaCry’s throne?
The latest in ransomware to cripple the Brazilian mobile banking system is actually more akin to WannaLocker than to WannaCry. WannaLocker was first discovered in June 2017, around the same time as WannaCry, its distant and highly destructive brother-in-arms.
So why call it WannaHydra? As I mentioned, this type of ransomware has three types of attacks: spyware, banking trojans, and privilege escalation. What’s more daunting is the fact that WannaHydra seems to target Android, the same environment used by the aforementioned banking entities to deploy their apps.
So, how does WannaHydra act? Well, according to Avast, the new WannaLocker spin-off ‘sends’ out teary-eyed notes to their victims, begging them to sign up, download an extension for their banking application, or review their financial details on account of some snafu.
Back in 2017, WannaLocker did basically the same thing; however, the stakes were much lower. According to Avast, the ransomware which fathered WannaHydra began spreading through a Chinese gaming forum. Apparently, the users were duped into downloading the viral payload, thinking it was a mobile game add-on.
Once inside the phone, the malware would relocate itself in the device’s external storage. From there, it would start to encrypt random files. Avast noted a peculiarity in WannaLocker’s file encryption discriminator.
More specifically, the malware would have left thousands of files untouched, having what one might call a soft spot for files under 10KB.
Again, WannaLocked wasn’t so demanding as its brother in arms; in most cases, the hackers would ask for $5 to hand over the decryption key (yes, I know that it sounds like a trifle, but then again there are plenty of fish in the pond, if you get my drift).
Well, that’s all ancient history, because WannaHydra is much more devious and demanding compared to its predecessor.
What’s even more daunting is the fact that the malware is polymorphic in nature, meaning that it can change its appearance and behavior to sink below the radar. Still, just like WannaLocker, it will get into your device’s external storage and wreak havoc from there.
So, what kind of info can it get from my device? Avast said that WannaHydra is more than capable of collecting all manner of sensitive info such as hardware info, device manufacturer, text messages, your call log, GPS data, voice recordings, contact list, and photos from your gallery.