Quick look into a new sample of Android/BianLian


It is packed. Arg: my “JsonPacker” rule in APKiD doesn’t see it, I’ll have to fix that!

APKiD should have detected “JsonPacker”. It did not. That’s a bug, and it’s … my fault!
Static unpacking of the malware. Of course, you can unpack dynamically too if you prefer.

Getting the C2

This sample connects to a Tor onion website to retrieve the URL of the C2.

This first website is only there to distribute the URL of the C2


This C2 currently targets 438 mobile apps. 80% of those apps are mobile banking apps, 10% are for cryptocurrency, and the rest varies (mail applications, or just famous apps). The targeted countries are the usual ones for the BianLian family. I can just highlight that it targets some French banks (a recent addition first seen in May 2022), but does not target Austria, Australia or Singapore compared to other instances of BianLian.

Code “novelties”

There are no added functionality compared to prior BianLian samples I analyzed, but the code’s organization has been improved with the addition of 3 new classes:

  • BatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various locations.
  • DeviceSecurityHandler. Turns off Huawei and Samsung security centers.
  • XiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is referring to those panels.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store



Mobile and IoT malware researcher. The postings on this account are solely my own opinion and do not represent my employer.