There was a remaining point which was bugging me: how does the Android/BianLian bot know where to contact the C&C?
Having worked on the samples for several days, I noticed they weren’t always heading to the same website:
So, where do those names come from? Is this from a Domain Generation Algorithm (DGA)? or are they hidden in an asset?
Answer: the active C&C is returned by a malicious GitHub user account. The account name unfortunately varies from one sample to another:
The json page actually contains a Base64-encoded JSON object with the C&C’s URL:
$ curl https://gist.githubusercontent.com/monopolyofficial/e0656a5a4d04af06e2af9ed83aa0c868/raw/helloworld.jsoneyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUi
$ echo "eyJkb21haW5zIjpbImh0dHA6Ly9mdWxsdmVoZHZpZGVvaXpsZW1lYXlhcmxhcmk0NTQ1LnNpdGUiXX0K" | base64 -d
How does the code work?
- At first, the code sets a Property with a decrypted admin URL.
2. Actually, as the shared preferences file has no C&C yet, this will actually return a dummy C&C
3. The real C&C is retrieved from the init procedure
4. The code retrieves the “domains” parameter of the JSON
5. Finally, the code sets the URL in the shared preferences.
Conclusion: there is no DGA algorithm. It is just a hard-coded remote URL serving an updated C&C name.
— the Crypto Girl