# Quick look into a new sample of Android/BianLian **[cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726](https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726)** @cryptax June 9, 2022 [@cryptax](https://cryptax.medium.com/?source=post_page-----bc5619efa726--------------------------------) Jun 9 2 min read [It’s Xmas time?! New BianLian samples to analyze thanks to @ni_fi_70 1 hour ago. Is that](https://twitter.com/ni_fi_70/status/1534795034695979008?s=20&t=eWVtLz953U1YdKf4cwPHxw) fresh enough? 😉 Let’s look into `doc_hy_0906_obf.apk, with SHA256:` ``` 99e0053475ecd6a22b0e22b2441f0bf0a407b36be54e7d8220bb284c0bd494a8 . ## Unpacking ``` It is packed. Arg: my “JsonPacker” rule in APKiD doesn’t see it, I’ll have to fix that! APKiD should have detected “JsonPacker”. It did not. That’s a bug, and it’s … my fault! Fortunately, students of mine wrote an unpacker that worked fine. Nice! Static unpacking of the malware. Of course, you can unpack dynamically too if you prefer. ## Getting the C2 This sample connects to a Tor onion website to retrieve the URL of the C2. ----- This first website is only there to distribute the URL of the C2 Today, this website returns a base64 encoded string: ``` eyJkb21haW5zIjpbImh0dHA6XC9cL3NlcnZzZXJ2ZnJlZXVwZGF0ZS50b3AiLCJodHRwOlwvXC93YXluZWNvbm ``` Decode it, and you get not 1 URL, but 3! That’s the first time I see that in BianLian, although the support for multiple domains has been there for a long time. ``` {"domains": ["http:\/\/servservfreeupdate.top","http:\/\/wayneconnectingservice.hk","http:\/\/allu ``` The last one does not resolve (yet). The first 2 currently go to the same IP address ``` 185.117.90.233 . The 3rd is down. It has registered 4 other domain names that we will ``` [probably see in the future: managerupgradecert[.]xyz,](https://community.riskiq.com/search/managerupgradecert.xyz) [wayneconnectingservice[.]com,](https://community.riskiq.com/search/wayneconnectingservice.com) [auw[.]swiftabout[.]co[.]uk and](https://community.riskiq.com/search/2auw.swiftabout.co.uk) [uayv.rotlain[.]com.](https://community.riskiq.com/search/uayv.rotlain.com) ## Targets This C2 currently targets 438 mobile apps. 80% of those apps are mobile banking apps, 10% are for cryptocurrency, and the rest varies (mail applications, or just famous apps). The targeted countries are the usual ones for the BianLian family. I can just highlight that it targets some French banks (a recent addition first seen in May 2022), but does not target Austria, Australia or Singapore compared to other instances of BianLian. ## Code “novelties” There are no added functionality compared to prior BianLian samples I analyzed, but the code’s organization has been improved with the addition of 3 new classes: BatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various locations. DeviceSecurityHandler. Turns off Huawei and Samsung security centers. XiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is referring to . ----- — Cryptax -----