WannaHydra

WannaHydra is an Android-based, multi-purpose Trojan that includes properties of a file-locking threat, spyware and a banking Trojan. WannaHydra can prevent you from accessing your files by encrypting them and collect credentials, such as passwords, especially for bank accounts. Android phone users should monitor infection vectors like e-mail for possible attacks and keep anti-malware products ready for removing WannaHydra on sight.

A Trojan Sprouts Extra Heads for Snacking on Files and Data

An old imitator of the family that's variously known as WannaCry, WannaCryptor Ransomware, and '.wcry File Extension' Ransomware is reviving itself with unexpected and substantial updates. The threat that's dubbed WannaLocker Ransomware, a file-locker Trojan that imitated WannaCry in the same year as that Trojan's rise, is becoming the pet project of a newly-interested threat actor. Unlike most Trojans with data-blockading attacks, this new version, WannaHydra, has various attacks that lie outside of this theme.

WannaHydra's campaign is targeting Brazilian mobile phone users and only compromises Android environments. Its infection vector is a social engineering tactic that uses one of several Brazilian bank brands for tricking customers into signing into a fake login screen. Unlike most Trojans that block files, WannaHydra includes significant data-exfiltration capabilities and harvests hardware information, communications like call logging records and text message history, the contact list and even microphone data. While malware experts have incomplete information on its other attacks, WannaHydra is, likely, focusing on collecting bank account credentials through other means.

All of these additions don't subtract from the original features that WannaHydra inherits from WannaLocker Ransomware. It still has the potential for blocking the user's files with encryption, hijacking the wallpaper, changing audio settings, and reading and modifying the contents of accessible storage devices. Current estimates are that the file-locking behavior is a 'backup plan' that lets threat actors make money from compromising the phone, even if the user doesn't have any valuable account information or other data for collecting.

Searing the Many Heads of Trojan Thievery

The latter half of WannaHydra's name refers to the Greek hydra, a mythological creature that consists of many heads atop a single, reptilian body. This name is apt since WannaHydra modularly fuses features that aren't often available in just one Trojan. Additionally, while its development is ongoing, users should treat it as being a severe threat to both their informational privacy and the health of any files on their phone and related storage devices.

By default, the basis of WannaHydra's encryption feature avoids blocking content that's less than ten kilobytes in size or adheres to certain naming conventions related to downloads, digital camera content or the Android OS. These restrictions may or may not apply to WannaHydra as its development goes forward. Regardless, malware experts encourage backing up one's media to secure locations for preventing WannaHydra's ransoming efforts from enjoying any profitability.

Android phone users can abide by a variety of guidelines for keeping themselves at much less risk of infection. Maintaining software updates, especially for the operating system, will cover any patchable vulnerabilities. E-mail-based attacks should be identifiable by appropriate security products. Threatening phone applications are evadable by double-checking reviews and staying away from downloads from suspicious third-parties.

As a last resort, traditional anti-malware services can block or delete WannaHydra from your phone, as necessary, like other threats of its kind.

WannaHydra is quite the investment into what was a well-aged Trojan. Elderly threats have more teeth than old dogs, however, and are worth keeping an eye on.