In the previous article, we discussed the packing mechanism of a Bian Lian sample, and how to unpack. This article reverse engineers the payload of the malware. It explains:

This is an analysis of sample sha256 73fae61d9550186c9b68c0e3a0589f1faaa87f6a9dc8290f98aaf55db3a58350, which was uploaded to VirusTotal on July 1, 2021. It is detected as Android/Locker.CQ!tr. This malware appears as a test screen locker, with an explicit application icon “Virus”, and very few classes.


The sample’s name is explicit: “Virus”. The package name evocates a test malware written by a student or wanna-be malware author. MobSF says the sample is “secure”. Beware: this means the sample’s implementation does not have obvious vulnerabilities in it, not that the sample is “safe to use” (it is malicious!).

Most of Quark rules match with only little confidence. They…

In this COVID19 era, online/virtual conferences have flourished. It’s cool we no longer have to waste time at airports or railway stations ✈️ . But I think most of you will agree it’s not “as cool” as “real conferences” (on site). I’ve wanted to blog about this for months, now…

Around April 1st 2021 (no joke), a new malware surfaced posing as “Localize Já!” [ref]. Its SHA256: be3d8500df167b9aaf21c5f76df61c466808b8fdf60e4a7da8d6057d476282b6

“Find it now” in English — to find your misplaced smartphone.

Banbra, BasBanke, or BrazKing?

As usual, it is difficult to classify this sample in a given malware family. Some tell you this is Banbra [ref], others that this is BasBanke ([ref1], [ref2] and [ref3]), and yet…


Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store