{
	"id": "65ba39b8-e4ab-495f-9193-3e065da403d6",
	"created_at": "2026-04-06T00:19:06.701598Z",
	"updated_at": "2026-04-10T13:11:34.351284Z",
	"deleted_at": null,
	"sha1_hash": "45ddb86e60b5869c42b8358f27838b51a7f1f017",
	"title": "BianLian: A New Wave Emerges",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 713947,
	"plain_text": "BianLian: A New Wave Emerges\r\nBy Dario Durando\r\nPublished: 2019-07-03 · Archived: 2026-04-05 23:51:07 UTC\r\nFortiGuard Labs Breaking Threat Research\r\nRecently, during our daily malware analysis routine, members of the FortiGuard Labs team encountered an\r\nAndroid sample that did not look familiar. \r\nAnalysis\r\nAt a first look, it seemed clear that the APK was heavily obfuscated, and was possibly packed using some\r\ntechnique we had not seen before. This is not to say that it uses an extremely complicated technique. It seems to\r\nmostly rely on generating a variety of random functions to hide the real functionalities of the sample.\r\nDuring our initial examination, we also spotted some interesting code amongst the rubbish functions being\r\ngenerated, so we decided to run the sample through FortiGuard’s in-house APK sandbox analysis system to gather\r\nmore information from its both static and dynamic analysis.\r\nSandbox Results\r\nThe results obtained from the sandbox helped us understanding the sample. First of all, in the Dex operation\r\nsection, where a dynamically loaded file should be logged, there are two entries. The first is related to the loading\r\nof the main application itself, and a second refers to a file conveniently called “payload.apk” – which means that\r\nthe sample will likely install an additional application during execution. However, most of the interesting calls,\r\nlike information exfiltration and connection initiations, are executed from the code in the first application.\r\nWith this information in hand, and being familiar with recent malware families, we had a hunch as to what\r\nmalware this could be. However, first things first: we needed to get rid of its very annoying obfuscation.\r\nObfuscation Analysis\r\nThe code base is very messy as it is mostly comprised of randomly generated garbage. Fortunately, the template is\r\nvery identifiable, and most of the classes are useless, having no real functionality at all. However, when first\r\nanalyzing this application, the sheer number of different classes can seem discouraging. Fortunately, the template\r\nfor these junk-classes is very predictable.\r\nEvery junk-class sports a name composed of random lowercase and uppercase characters.\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 1 of 8\n\nFigure 1: Randomly generated useless class\r\nIn addition, there is a clear difference between the classes that are useless and the ones that contain used code.\r\nConveniently enough, all of the interesting classes maintain their original name. However, to complicate things\r\nfurther, it looks like every legitimate function or package is accompanied by 7 functions or packages performing\r\nuseless calculations.\r\nMost of the strings in the code are generated by using functions implementing a XOR decryption of byte arrays –\r\na simple but relatively effective solution. Every string corresponds to a specific function that accepts no arguments\r\nand returns a `String` object.\r\nIn the screenshots used in the analysis section below, what is shown is the de-obfuscated version of the code. We\r\nwill not go through the process on how to obtain that in this report, because it is very boring and straight forward.\r\nIt simply requires the elimination of many unnecessary functions and the execution of the ones yielding the\r\nrequired strings.\r\nAt this point we want to give a big shout-out to Max 'Libra' Kersten and his AndroidProjectCreator for making\r\nthis de-obfuscation process less painful than we anticipated. If you have not heard about this project, go and check\r\nit out.\r\nMalware Analysis\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 2 of 8\n\nAs identified in the title of this blogpost, this obfuscated sample belongs to the BianLian malware family,\r\ndiscussed for the first time by ThreatFabric in 2018.\r\nBianLIan started as a dropper for other malware, but developers quickly began to implement their own malicious\r\ncode that primarily targets Turkish banking applications.\r\nIn true Android malware fashion, the first thing the application does is hide its icon and constantly requests\r\npermission to abuse Accessibility services functionalities until granted.\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 3 of 8\n\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 4 of 8\n\nFigure 2: Permission requests\r\nOnce these are obtained, it initiates all of its modules. Compared to its 2018 version, the authors behind this\r\nupdate have added some new functionalities. In addition to extensively abusing Accessibility services, it includes\r\nthe following modules. This list include modules from the old and wave of BianLian as well as those added in this\r\nnew version:\r\ntext: Module used to send, receive, and log SMS messages   \r\nussd: Module used to run USSD codes and make calls\r\ninjects: Module used to run overlay attacks, mostly on banking applications\r\nlocker: Module used to lock the screen, rendering the device unusable for a user\r\nIn addition to these modules, this BianLian sample included also the following two modules that we will describe\r\nin more detail below:\r\nscreencast\r\nsocks5\r\nScreencast Module\r\nThe Screencast Module allows the malware to record the screen of the device. It uses the android package\r\nandroid.media.projection.MediaProjection to create a virtual display to screencast.\r\nIt first checks if the screen is locked. If it is, it releases the lock and then starts its recording. The recording is\r\nstarted remotely, as with other functionalities, using FCM (Firebase Cloud Messaging).\r\nFigure 3: Screencast Module\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 5 of 8\n\nSocks5 Module\r\nThis module is used to create a functioning SSH server on the device using JSCH (Java Secure Channel), a library\r\nthat implements SSH2 in pure Java. By using this tool, BianLian can setup a proxy that can run SSH sessions\r\nusing remote port forwarding on port 34500, with an implementation similar to 2017’s malware MilkyDoor,\r\nmaking communication with the CC harder to detect. \r\nFigure 4: Socks5 Module\r\nDropped Files\r\nBianLian started its career in the malware industry as a dropper, so it is not surprising to find a payload in this\r\nsample. In the older versions of BianLian, this payload was decrypted from the assets of the APK, while in this\r\ncase it is downloaded from the CC.\r\nThe dropped APK is actually far less interesting, and in fact, not actually a malware by itself. The code base is\r\nvery limited and performs only one function. It checks to see if Google Play Protect is active through the Google\r\nSafetyNet API. This code is loaded and used by the main application through Java reflection.\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 6 of 8\n\nFigure 5: Payload.apk execution\r\nIt is worth reemphasizing that this payload is not a different malware, but rather, a tool used by BianLian.\r\nConclusion\r\nBianLian seems to still be under active development. The added functionalities, even though not completely\r\noriginal, are effective and make this family a potentially dangerous one. Its code base and strategies put it on a par\r\nwith the other big players in the banking malware space.\r\nIn addition, its new obfuscation technique, even though not very complicated, is still capable of tricking string-based detection, and would be very hard to detect with static analysis alone when encountered for the first time. \r\nWhile looking around for similar malware, we also encountered some Anubis samples using this same obfuscation\r\nalgorithm. This suggests that the author of this obfuscator is either selling it on hacking forums, or was able to get\r\nhis hands on the source code of these two families of malware.\r\nFortiGuard Labs has been following this family since it was first detected, and will continue to keep on the\r\nlookout for new threats.\r\n-= FortiGuard Lion =-\r\nSolutions\r\nFortinet customers are protected by the following signatures:\r\nThe BianLian sample analyzed is detected as Android/Agent.AMJ!tr\r\nThe Anubis sample mentioned is detected as Android/Agent.JA!tr\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 7 of 8\n\nIOC\r\nBianLian: ac32dc236fea345d135bf1ff973900482cdfce489054760601170ef7feec458f\r\nPayload: 75e162dc291e15d13b0f3202a66e0c88ff2db09ec02922ee64818dbddcb78d6d\r\nAnubis: a99eb900d03aa1dd70d7712da7c42cc37ee2f2e21d763acd6ddf71a4027ed504\r\nCCs:\r\nhxxps://tombaba[.]club\r\nhxxps://tomcatdomains[.]page[.]link\r\nBanking applications targeted:\r\ncom.akbank.android.apps.akbank_direkt\r\ncom.albarakaapp\r\ncom.binance.dev\r\ncom.btcturk\r\ncom.denizbank.mobildeniz\r\ncom.finansbank.mobile.cepsube\r\ncom.garanti.cepsubesi\r\ncom.ingbanktr.ingmobil\r\ncom.kuveytturk.mobil\r\ncom.magiclick.odeabank\r\ncom.mobillium.papara\r\ncom.pozitron.iscep\r\ncom.teb\r\ncom.thanksmister.bitcoin.localtrader\r\ncom.tmobtech.halkbank\r\ncom.vakifbank.mobile\r\ncom.ykb.android\r\ncom.ziraat.ziraatmobil\r\nfinansbank.enpara\r\ntr.com.hsbc.hsbcturkey\r\ntr.com.sekerbilisim.mbank\r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices. \r\nSource: https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nhttps://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-wave-bianlian-malware.html"
	],
	"report_names": [
		"new-wave-bianlian-malware.html"
	],
	"threat_actors": [],
	"ts_created_at": 1775434746,
	"ts_updated_at": 1775826694,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45ddb86e60b5869c42b8358f27838b51a7f1f017.pdf",
		"text": "https://archive.orkl.eu/45ddb86e60b5869c42b8358f27838b51a7f1f017.txt",
		"img": "https://archive.orkl.eu/45ddb86e60b5869c42b8358f27838b51a7f1f017.jpg"
	}
}