BianLian Android Banking Trojan Upgraded With Screen Recorder

The BianLian banking Trojan has been upgraded with two new modules designed to record the screens of infected Android devices and to create a SSH server for camouflaging its communication channels.

While BianLian was initially developed as a lowly dropper designed to be a transport conduit for more capable Android malware as observed by ThreatFabric's researchers during 2018, its developers eventually added several new modules that converted it into a banking Trojan.

The extra components allow the malware to send text messages, to run arbitrary USSD codes, to lock the screens of compromised devices, and to inject push notifications and perform overlay attacks that enable it to steal banking credentials.

FortiGuard Labs researchers have now discovered yet another BianLian sample that has been further upgraded by its masters, distributed in the form of a heavily obfuscated APK that relies "on generating a variety of random functions to hide the real functionalities of the sample."

However, they were able to circumvent the huge amount of useless classes with randomly generated names designed to discourage malware analysts and discovered the malware sample is part of the aforementioned BianLian malware family.

The FortiGuard Labs discovered after analyzing the sample's behavior that the first thing the malicious "application does is hide its icon and constantly requests permission to abuse Accessibility services functionalities until granted."

After tricking its victims to give it permissions to inspect window contents and to observe text such as card numbers and passwords typed into various Android apps, the BianLian Trojan will load its modules, ready to abuse the Accessibility services on the compromised Android device.

BianLian will load both older modules present in previous versions of the malware and newly added components designed to expand its capabilities.

The new Socks5 component allows the banking Trojan to "create a functioning SSH server on the device using JSCH (Java Secure Channel), a library that implements SSH2 in pure Java."

With the help of this server, BianLian will tunnel its command and control (C2) communication channels using a SSH proxy that employs port forwarding on port 34500 to conceal the C2 traffic from prying eyes.

The Screencast module enables the malware to record its victims' screens by creating a virtual display using the android.media.projection.MediaProjection Android package, with the recording being launched remotely after unlocking the device's screen.

BianLian will also drop a malicious payload on infected Android devices which allows it to check if "Google Play Protect is active through the Google SafetyNet API."

"The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one. Its code base and strategies put it on a par with the other big players in the banking malware space," concludes the FortiGuard Labs team.

A full list of indicators of compromise (IOCs) including malware and payload hashes, C2 server domains, and a list of targeted banking apps is provided by the researchers at the end of their BianLian malware analysis.

The number of Android users targeted by cybercriminals with banking malware saw an alarming 300% increase in 2018, with roughly 1.8 million of them being eventually impacted by at least one such attack during the last year as detailed by Kaspersky Lab in its "Financial Cyberthreats in 2018" report.

A subsequent mobile malware evolution report for 2018 also issued by Kaspersky Lab in March showed that while banking and dropper Trojans have seen a consistent increase in the number of unique samples detected, the Asacub and the Hqwar banking Trojans were the most prevalent.

Comments are closed.