Android/BianLian payload

  • The malicious components the bot implements. Those components can be seen as independent modules, and they are launched at the beginning. Each of them do their job, handle accessibility events which concern and notifies or responds to the C&C. The implementation is clearly organized to easily welcome future modules.
  • The communication between the C&C and the bot. The bot understands and responds to several commands. The commands are implemented in the relevant component. The communication protocol is fairly simple: over HTTP (not HTTPS), with a plaintext JSON object as data (no encryption).
  • The implementation of each major component.

Three DEXes

  1. The main APK’s DEX — which is responsible for decrypting and loading via multidex the second DEX. For reminder, the APK’s sha256 is 5b9049c392eaf83b12b98419f14ece1b00042592b003a17e4e6f0fb466281368
  2. The second DEX — which implements the malicious payload of the bot. This is what we discuss in this article. Its sha256 is d0d704ace35b0190174c11efa3fef292e026391677ff9dc10d2783b4cfe7f961
  3. A third DEX. It is downloaded by the second DEX from the remote C&C, but is not interesting for the analysis of the malware because it only contains non-malicious utility functions. Its package name is com.fbdev.payload.

Reverse engineer is loooong

Overview of malicious components

  • Bulk SMS. The attacker specifies the body of a SMS to send, and it is sent to all contacts of the victim’s smartphone.
  • Inject. The attacker provides an image to download from the web and inject (overlay) on a given list of apps.
  • Install Apps. The attacker specifies a list of applications to install on the phone.
  • Locker. This disables the ringer, and displays a text taken randomly from a pool of possible messages.
  • Notification Disabler. Disables notifications of given applications.
  • PIN code. Steals the lock PIN code for some phone brands. The sample we analyze supports Samsung and Huawei.
  • SMS. This is to send specific SMS messages. The attacker specifies the body and phone number to send to.
  • Screencast. Takes screenshots of given applications.
  • Sound switch. Turn ringer on or off.
  • Team viewer. The Team Viewer app is a well known non-malicious app to access your smartphone from any other computer. Here, the attacker uses it to access the victim’s smartphone remotely.
  • USSD. The attacker specifies the premium phone number to call. For the victim, this may result in extra cost, depending on his/her subscription.

Communication with the C&C

Decrypting the preferences entry “admin_panel_url_”
The XOR key is composed of characters !8[`. For example “IL/p:/trI]:cNT7iDJhQ53iNV]9sHL>” decrypts to hxxp://
List of commands understood by the BianLian bot. The commands are keys within a JSON object, and values specify command arguments. The JSON object is sent or received from the C&C.
List of Bian Lian bot responses to commands.

Malicious injections

In this case, the C&C was interested in many mobile turkish bank apps.
For example, in this case, the bot notifies the C&C 3 interesting mobile apps are installed.
In this network capture, the bot requests an HTML page to display above the bank’s application.
Beware the malicious overlay! This screenshot was taken on an infected Android emulator. If we are cautious, we can spot the trick here because the overlay is not perfect: the real app is running behind (we see the real logo at the top) and the malicious page is overlaid in front. This is actually not an image but an entire HTML page, with hard-coded embedded logo images, layout and JavaScript. The card number, expiration date & CVV are sent back to the C&C.

Team Viewer component

Decompiled code of the malware’s team viewer component. The Accessibility Service is used to see which node/view is currently displayed, locate the relevant button and automatically click on it. Team Viewer is automatically configured by automatically entering username/password inside the right text views of the application.
To abuse Accessibility Services, the malware requests initial permissions. Yes, in theory, an end-user should not click “OK” to such a request, but let’s be honest, there are many pop-ups on a smartphone & it’s not always clear to the end-user what they are authorizing. That’s how we end up with an infected smartphone…

Disabling notifications

This is the part of the bot’s code that disables notification for an app. The bot opens the notification settings for a given app. At this point, the method above gets called. It checks whether the notification switch is already checked or not. If checked, it unchecks it. If not checked, it leaves it unchecked and continues to the next app.

Screencast component

Intent intent = new Intent(InjAccessibilityService.broadcast_swipe_unlock);  // "broadcast_swipe_to_unlock_action"
intent.putExtra("task", 669);
if(! && this.mediaprojectmgr != null) {   activity.startActivityForResult(this.mediaprojectmgr.createScreenCaptureIntent(), 0x1E240);  }
When a screen capture is requested, the system normally displays a system UI pop-up asking for confirmation. The code above checks this is the confirmation pop-up, that it requests screen capture for the Video Player (the sample poses as a Video Player app) and automatically confirms & remembers the choice.
Encode bitmap in Base64 and send it to C&C. If upload fails, stop screen cast service.
this.startForeground(0x74A, new Notification.Builder(this.getApplicationContext()).setContentTitle("Google").setContentText("Update Google Play Service").setSmallIcon(0x7F050001).setProgress(0, 100, true).build());

Locker component

Android system corrupted files recovery <3e>
Kernel version
private void fullScreen() {
this.getWindow().getDecorView().setSystemUiVisibility(0xF06); // SYSTEM_UI_FLAG_FULLSCREEN=4 | SYSTEM_UI_FLAG_HIDE_NAVIGATION=2
public void onWindowFocusChanged(boolean arg5) {
if(arg5) {

PIN code component

Task of the PIN code component

Install component

Automatically authorizing install of APKs from external sources
Processing C&C commands to delete applications

Sound component

USSD component

Code calling a given phone number (USSD)

SMS component

this.sendSms(command.get("id").toString(), command.get("phone_number").getString(), command.get("message").getString()); // calls sendTextMessage

Unsure / Do you know why? Contact me!

Code in
Code in




Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

EZ - IOU Redemption Step by Step Guide ( EasyFi Network)

CyberEnterprise Cyber Security 101

{UPDATE} Christmas Quiz Games Hack Free Resources Generator

Basic Pentesting Room - TryHackMe

How to open Dat File in Window [Best way to open Dat file]

☄️Proof of Space and Time!☄️

Cryptonium 102

Break into 2K IP-Camera

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store


Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

TryHackMe Gallery Writeup

Let’s Defend: SOC101 — Phishing Mail Detected alert Walkthrough

HackPark TryHackMe Write-Up

Multidex trick to unpack Android/BianLian