Quick look into a new sample of Android/BianLian

It’s Xmas time?! New BianLian samples to analyze thanks to @ni_fi_70 1 hour ago. Is that fresh enough? 😉

Let’s look into doc_hy_0906_obf.apk, with SHA256: 99e0053475ecd6a22b0e22b2441f0bf0a407b36be54e7d8220bb284c0bd494a8.

Unpacking

It is packed. Arg: my “JsonPacker” rule in APKiD doesn’t see it, I’ll have to fix that!

APKiD should have detected “JsonPacker”. It did not. That’s a bug, and it’s … my fault!

Fortunately, students of mine wrote an unpacker that worked fine. Nice!

Static unpacking of the malware. Of course, you can unpack dynamically too if you prefer.

Getting the C2

This sample connects to a Tor onion website to retrieve the URL of the C2.

This first website is only there to distribute the URL of the C2

Today, this website returns a base64 encoded string:

eyJkb21haW5zIjpbImh0dHA6XC9cL3NlcnZzZXJ2ZnJlZXVwZGF0ZS50b3AiLCJodHRwOlwvXC93YXluZWNvbm5lY3RpbmdzZXJ2aWNlLmhrIiwiaHR0cDpcL1wvYWxsdXBkYXRlc2VjdXJldHlub3cuY29tIl19

Decode it, and you get not 1 URL, but 3! That’s the first time I see that in BianLian, although the support for multiple domains has been there for a long time.

{"domains":["http:\/\/servservfreeupdate.top","http:\/\/wayneconnectingservice.hk","http:\/\/allupdatesecuretynow.com"]}

The last one does not resolve (yet). The first 2 currently go to the same IP address 185.117.90.233. The 3rd is down. It has registered 4 other domain names that we will probably see in the future: managerupgradecert[.]xyz, wayneconnectingservice[.]com, auw[.]swiftabout[.]co[.]uk and uayv.rotlain[.]com.

Targets

This C2 currently targets 438 mobile apps. 80% of those apps are mobile banking apps, 10% are for cryptocurrency, and the rest varies (mail applications, or just famous apps). The targeted countries are the usual ones for the BianLian family. I can just highlight that it targets some French banks (a recent addition first seen in May 2022), but does not target Austria, Australia or Singapore compared to other instances of BianLian.

Code “novelties”

There are no added functionality compared to prior BianLian samples I analyzed, but the code’s organization has been improved with the addition of 3 new classes:

• BatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various locations.
• DeviceSecurityHandler. Turns off Huawei and Samsung security centers.
• XiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is referring to those panels.

— Cryptax