Creating a safe dummy C&C to test Android bots

The bot

Simply use an Android emulator. The BianLian sample installs fine on Android 8.

The (fake) server

BianLian communicates to a C&C via HTTP. So, I created a quick Flask application to act as the web server.

Redirecting to our fake server

Normally, the bot communicates to a C&C on hxxp://rheacollier31532.website. This name resolves (currently) to IP address 159.223.187.91. So, what we’ll do is redirect all traffic from the emulator and going to 159.223.187.91 on port 80 to the fake server (127.0.0.1) on the desired port (I used 9999).

Videos

The resulting videos below.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.