Quick look into a new sample of Android/BianLian

Unpacking

APKiD should have detected “JsonPacker”. It did not. That’s a bug, and it’s … my fault!
Static unpacking of the malware. Of course, you can unpack dynamically too if you prefer.

Getting the C2

This first website is only there to distribute the URL of the C2
eyJkb21haW5zIjpbImh0dHA6XC9cL3NlcnZzZXJ2ZnJlZXVwZGF0ZS50b3AiLCJodHRwOlwvXC93YXluZWNvbm5lY3RpbmdzZXJ2aWNlLmhrIiwiaHR0cDpcL1wvYWxsdXBkYXRlc2VjdXJldHlub3cuY29tIl19
{"domains":["http:\/\/servservfreeupdate.top","http:\/\/wayneconnectingservice.hk","http:\/\/allupdatesecuretynow.com"]}

Targets

Code “novelties”

  • BatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various locations.
  • DeviceSecurityHandler. Turns off Huawei and Samsung security centers.
  • XiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is referring to those panels.

--

--

--

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

CoinGecko Lists $GDEFI On Thursday

The User Experience of a Watermelon — What secure design is all about

{UPDATE} Moto RRPS Hack Free Resources Generator

{UPDATE} zMahjong Solitaire Hack Free Resources Generator

Uber’s Security Breach Linked to Two Key Vendors: Lessons Learned

Cyber Week Sale!

Overpayment Scams: How They Work, And How To Avoid Them

{UPDATE} NTP - Leeds Edition Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
@cryptax

@cryptax

Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.

More from Medium

VulnHub: The Planets: Mercury

REvil reloaded? A notorious Russia-based ransomware group is back

A crypt in a snow-covered cemetery.

Invoca Capture the Flag (CTF) 2022

Invoca CTF Logo

Analysis Walkthrough: APT32’s {79828CC5–8979–43C0–9299–8E155B397281}.dll