Multi-Device Licenses (Volume Discounts)

Change Region

English Português
Threat Database Malware BianLian

BianLian

By CagedTech in Malware
Translate To:
English

BianLian is a mobile malware affecting Android users. The latest version is an obfuscated variant of the well-known BianLian malware family, first discovered in 2018. BianLian was initially intended as a downloader for other malware, but it has been modified to deliver new, corrupted code that attacks Turkish banking applications.

Why BianLian is Threatening

The BianLian malware works like most other Android malware. It first hides its application icon and then starts bugging the user for permission to access features it needs to attack the system fully. The BianLian malware has been found to request permission to use Accessibility services in some samples.

After acquiring the permissions it requires, the BianLian malware then launches all of its features. These then allow it to:

  • Send and receive text messages.
  • Log message data.
  • Run USSD codes.
  • Make calls.
  • Lock the screen.
  • Show fake interfaces for banking and other applications.
  • Screencast (sending a recording or live view of the screen to a remote server).
  • Socks5 (Sets up an SSH server, which is difficult to detect).

It also drops a payload APK. Older versions would contain the APK in the original malware APK in an encrypted form.

Newer Versions Download the APK from a CC Server

In both cases, the APK deployed is not really a malware itself. It's simply a tool used by the malware to detect Google Play Protect service through Google SafetyNet API. The tool is used via Java reflection by the malware. The malware is developed and updated actively with newer functionalities. It does not contain any advanced anti-analysis techniques, but it is able to avoid simpler detection methods.

Technical Details
BianLian IoC: ac32dc236fea345d135bf1ff973900482cdfce489054760601170ef7feec458f
Payload APK IoC: 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d
CC Servers:
hxxps://tombaba[.]club
hxxps://tomcatdomains[.]page[.]link

Targeted Applications
com.akbank.android.apps.akbank_direkt
com.albarakaapp
com.binance.dev
com.btcturk
com.denizbank.mobildeniz
com.finansbank.mobile.cepsube
com.garanti.cepsubesi
com.ingbanktr.ingmobil
com.kuveytturk.mobil
com.magiclick.odeabank
com.mobillium.papara
com.pozitron.iscep
com.teb
com.thanksmister.bitcoin.localtrader
com.tmobtech.halkbank
com.vakifbank.mobile
com.ykb.android
com.ziraat.ziraatmobil
finansbank.enpara
tr.com.hsbc.hsbcturkey
tr.com.sekerbilisim.mbank

Related Posts

Trending

Most Viewed

Loading...