Android/BianLian payload

Three DEXes

Reverse engineer is loooong

Overview of malicious components

Communication with the C&C

Decrypting the preferences entry “admin_panel_url_”
The XOR key is composed of characters !8[`. For example “IL/p:/trI]:cNT7iDJhQ53iNV]9sHL>” decrypts to hxxp://
List of commands understood by the BianLian bot. The commands are keys within a JSON object, and values specify command arguments. The JSON object is sent or received from the C&C.
List of Bian Lian bot responses to commands.

Malicious injections

In this case, the C&C was interested in many mobile turkish bank apps.
For example, in this case, the bot notifies the C&C 3 interesting mobile apps are installed.
In this network capture, the bot requests an HTML page to display above the bank’s application.
Beware the malicious overlay! This screenshot was taken on an infected Android emulator. If we are cautious, we can spot the trick here because the overlay is not perfect: the real app is running behind (we see the real logo at the top) and the malicious page is overlaid in front. This is actually not an image but an entire HTML page, with hard-coded embedded logo images, layout and JavaScript. The card number, expiration date & CVV are sent back to the C&C.

Team Viewer component

Decompiled code of the malware’s team viewer component. The Accessibility Service is used to see which node/view is currently displayed, locate the relevant button and automatically click on it. Team Viewer is automatically configured by automatically entering username/password inside the right text views of the application.
To abuse Accessibility Services, the malware requests initial permissions. Yes, in theory, an end-user should not click “OK” to such a request, but let’s be honest, there are many pop-ups on a smartphone & it’s not always clear to the end-user what they are authorizing. That’s how we end up with an infected smartphone…

Disabling notifications

This is the part of the bot’s code that disables notification for an app. The bot opens the notification settings for a given app. At this point, the method above gets called. It checks whether the notification switch is already checked or not. If checked, it unchecks it. If not checked, it leaves it unchecked and continues to the next app.

Screencast component

Intent intent = new Intent(InjAccessibilityService.broadcast_swipe_unlock);  // "broadcast_swipe_to_unlock_action"
intent.putExtra("task", 669);
if(! && this.mediaprojectmgr != null) {   activity.startActivityForResult(this.mediaprojectmgr.createScreenCaptureIntent(), 0x1E240);  }
When a screen capture is requested, the system normally displays a system UI pop-up asking for confirmation. The code above checks this is the confirmation pop-up, that it requests screen capture for the Video Player (the sample poses as a Video Player app) and automatically confirms & remembers the choice.
Encode bitmap in Base64 and send it to C&C. If upload fails, stop screen cast service.
this.startForeground(0x74A, new Notification.Builder(this.getApplicationContext()).setContentTitle("Google").setContentText("Update Google Play Service").setSmallIcon(0x7F050001).setProgress(0, 100, true).build());

Locker component

Android system corrupted files recovery <3e>
Kernel version
private void fullScreen() {
this.getWindow().getDecorView().setSystemUiVisibility(0xF06); // SYSTEM_UI_FLAG_FULLSCREEN=4 | SYSTEM_UI_FLAG_HIDE_NAVIGATION=2
public void onWindowFocusChanged(boolean arg5) {
if(arg5) {

PIN code component

Task of the PIN code component

Install component

Automatically authorizing install of APKs from external sources
Processing C&C commands to delete applications

Sound component

USSD component

Code calling a given phone number (USSD)

SMS component

this.sendSms(command.get("id").toString(), command.get("phone_number").getString(), command.get("message").getString()); // calls sendTextMessage

Unsure / Do you know why? Contact me!

Code in
Code in



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store