Creating a safe dummy C&C to test Android bots
To explain what a malware does, there’s no such good thing as showing in a video. But how can you do that safely? This is how I did it for Android/BianLian.
Thanks to al1foobar for his help with iptables ;-)
Simply use an Android emulator. The BianLian sample installs fine on Android 8.
The (fake) server
BianLian communicates to a C&C via HTTP. So, I created a quick Flask application to act as the web server.
At first, you don’t know all routes you need to serve. That’s not an issue, we’ll find them: run the fake server and notice all the HTTP 404 responses. They happen when the bot fails to contact a URL it needs. In the console, you’ll see the missing URL, add those in your code.
From my previous analysis of BianLian, I know the C&C sends back JSON data, and I know how some commands should be formatted. A fake server is great to test those commands safely, and see what they do + Flask dynamically reloads its code when it changes, so we can actually send different commands if we want.
Redirecting to our fake server
Normally, the bot communicates to a C&C on
hxxp://rheacollier31532.website. This name resolves (currently) to IP address
18.104.22.168. So, what we’ll do is redirect all traffic from the emulator and going to
22.214.171.124 on port
80 to the fake server (
127.0.0.1) on the desired port (I used
On Linux, use iptables:
sudo iptables -t nat -A OUTPUT -d 126.96.36.199 -p tcp -j DNAT — to-destination 127.0.0.1:9999.
Test it on the emulator and open a browser, and request for example
hxxp://rheacollier31532.website, you should see the request in your fake Flask server.
The resulting videos below.
— the Crypto Girl