Quick look into a new sample of Android/BianLian
It’s Xmas time?! New BianLian samples to analyze thanks to @ni_fi_70 1 hour ago. Is that fresh enough? 😉
Let’s look into
doc_hy_0906_obf.apk, with SHA256:
It is packed. Arg: my “JsonPacker” rule in APKiD doesn’t see it, I’ll have to fix that!
Fortunately, students of mine wrote an unpacker that worked fine. Nice!
Getting the C2
This sample connects to a Tor onion website to retrieve the URL of the C2.
Today, this website returns a base64 encoded string:
Decode it, and you get not 1 URL, but 3! That’s the first time I see that in BianLian, although the support for multiple domains has been there for a long time.
The last one does not resolve (yet). The first 2 currently go to the same IP address
188.8.131.52. The 3rd is down. It has registered 4 other domain names that we will probably see in the future: managerupgradecert[.]xyz, wayneconnectingservice[.]com, auw[.]swiftabout[.]co[.]uk and uayv.rotlain[.]com.
This C2 currently targets 438 mobile apps. 80% of those apps are mobile banking apps, 10% are for cryptocurrency, and the rest varies (mail applications, or just famous apps). The targeted countries are the usual ones for the BianLian family. I can just highlight that it targets some French banks (a recent addition first seen in May 2022), but does not target Austria, Australia or Singapore compared to other instances of BianLian.
There are no added functionality compared to prior BianLian samples I analyzed, but the code’s organization has been improved with the addition of 3 new classes:
- BatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various locations.
- DeviceSecurityHandler. Turns off Huawei and Samsung security centers.
- XiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is referring to those panels.