{
	"id": "b9231cab-c1d2-41b1-9b9e-03c01259b4ad",
	"created_at": "2026-04-06T00:17:17.682606Z",
	"updated_at": "2026-04-10T03:20:06.840796Z",
	"deleted_at": null,
	"sha1_hash": "8b641f6235c5773dbbdb49333ed826567030a832",
	"title": "Android/BianLian payload",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2855868,
	"plain_text": "Android/BianLian payload\r\nBy @cryptax\r\nPublished: 2022-01-17 · Archived: 2026-04-05 13:54:29 UTC\r\nIn the previous article, we discussed the packing mechanism of a Bian Lian sample, and how to unpack. This\r\narticle reverse engineers the payload of the malware. It explains:\r\nThe malicious components the bot implements. Those components can be seen as independent modules,\r\nand they are launched at the beginning. Each of them do their job, handle accessibility events which\r\nconcern and notifies or responds to the C\u0026C. The implementation is clearly organized to easily welcome\r\nfuture modules.\r\nThe communication between the C\u0026C and the bot. The bot understands and responds to several\r\ncommands. The commands are implemented in the relevant component. The communication protocol is\r\nfairly simple: over HTTP (not HTTPS), with a plaintext JSON object as data (no encryption).\r\nThe implementation of each major component.\r\nThree DEXes\r\nTo be precise, note the Bian Lian we discuss uses three different DEX:\r\n1. The main APK’s DEX — which is responsible for decrypting and loading via multidex the second DEX.\r\nFor reminder, the APK’s sha256 is\r\n5b9049c392eaf83b12b98419f14ece1b00042592b003a17e4e6f0fb466281368\r\n2. The second DEX — which implements the malicious payload of the bot. This is what we discuss in this\r\narticle. Its sha256 is d0d704ace35b0190174c11efa3fef292e026391677ff9dc10d2783b4cfe7f961\r\n3. A third DEX. It is downloaded by the second DEX from the remote C\u0026C, but is not interesting for the\r\nanalysis of the malware because it only contains non-malicious utility functions. Its package name is\r\ncom.fbdev.payload .\r\nReverse engineer is loooong\r\nThis reverse engineering took me several days. Actually, between unpacking, reverse engineering and writing the\r\nblog, it approximately took me 2 weeks! I am not particularly proud about it, but I often get the question “whow,\r\nhow long did it take you?” and although I’d love to appear extremely skilled, the reality is that reverse engineering\r\nis a long process. It can be compared to puzzles or a plate of spaghetti: at first, you don’t know where to start, you\r\nfollow a path and often get lost in the middle and soon don’t exactly know what you were searching for 😄\r\nConsequently, I am sharing my JEB project (which contains all the functions I renamed, my comments etc): you\r\ncan download it here.\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 1 of 16\n\nAlso, the article ends with a few remaining questions on the reverse engineering of the sample. You are welcome\r\nto interact if you have an idea.\r\nNow, let’s start!\r\nOverview of malicious components\r\nThis malware is a bot, which reports and receives commands from a remote server (C\u0026C). It implements several\r\nmalicious components:\r\nBulk SMS. The attacker specifies the body of a SMS to send, and it is sent to all contacts of the victim’s\r\nsmartphone.\r\nInject. The attacker provides an image to download from the web and inject (overlay) on a given list of\r\napps.\r\nInstall Apps. The attacker specifies a list of applications to install on the phone.\r\nLocker. This disables the ringer, and displays a text taken randomly from a pool of possible messages.\r\nNotification Disabler. Disables notifications of given applications.\r\nPIN code. Steals the lock PIN code for some phone brands. The sample we analyze supports Samsung and\r\nHuawei.\r\nSMS. This is to send specific SMS messages. The attacker specifies the body and phone number to send to.\r\nScreencast. Takes screenshots of given applications.\r\nSound switch. Turn ringer on or off.\r\nTeam viewer. The Team Viewer app is a well known non-malicious app to access your smartphone from\r\nany other computer. Here, the attacker uses it to access the victim’s smartphone remotely.\r\nUSSD. The attacker specifies the premium phone number to call. For the victim, this may result in extra\r\ncost, depending on his/her subscription.\r\nCommunication with the C\u0026C\r\nThe URL to the remote C\u0026C is found encrypted in the shared preferences file pref_name_setting.xml . The\r\nalgorithm uses slightly modified XOR algorithm with a hard-coded key derived from the string\r\nsorry!need8money[for`food .\r\nPress enter or click to view image in full size\r\nDecrypting the preferences entry “admin_panel_url_”\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 2 of 16\n\nThe XOR key is composed of characters !8[`. For example\r\n“IL/p:/trI]:cNT7iDJhQ53iNV]9sHL\u0026gt;” decrypts to hxxp://rheacollier31532.website\r\nThe remote attacker and the bot exchange a JSON string, where JSON keys specify actions (or responses) to\r\nconduct.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 3 of 16\n\nPress enter or click to view image in full size\r\nList of commands understood by the BianLian bot. The commands are keys within a JSON object,\r\nand values specify command arguments. The JSON object is sent or received from the C\u0026C.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 4 of 16\n\nList of Bian Lian bot responses to commands.\r\nMalicious injections\r\nThe bot implements an injection module which overlays attacker chosen images on top of target applications.\r\nFirst, the bot reports its activity to the C\u0026C. The attacker answers back to the bot with a list of applications it is\r\ninterested to inject into (see “stockInjects” key):\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 5 of 16\n\nIn this case, the C\u0026C was interested in many mobile turkish bank apps.\r\nThe bot searches which of these apps are installed on the victim’s phone and reports the information back to the\r\nC\u0026C (see “app_list” key).\r\nFor example, in this case, the bot notifies the C\u0026C 3 interesting mobile apps are installed.\r\nWhen an app among this list is launched, the bot requests the C\u0026C an HTML page to overlay.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 6 of 16\n\nIn this network capture, the bot requests an HTML page to display above the bank’s application.\r\nFrom victim’s point of view, everything happens fast and it is not easy to detect something fishy is happening: the\r\nvictim opens his/her mobile banking app. S/he will perhaps notice a quick screen flickering: this occurs when the\r\nbot has downloaded the attacker’s HTML and overlays it on top of the real app. See below an example of overlay.\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 7 of 16\n\nBeware the malicious overlay! This screenshot was taken on an infected Android emulator. If we are\r\ncautious, we can spot the trick here because the overlay is not perfect: the real app is running behind\r\n(we see the real logo at the top) and the malicious page is overlaid in front. This is actually not an\r\nimage but an entire HTML page, with hard-coded embedded logo images, layout and JavaScript.\r\nThe card number, expiration date \u0026 CVV are sent back to the C\u0026C.\r\nTeam Viewer component\r\nThe bot support “teamViewerOptions” command which triggers the Team Viewer app to remotely access and\r\ncontrol the victim’s smartphone. The C\u0026C sends a username and password, and the bot (1) launches the Team\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 8 of 16\n\nViewer app (if necessary), (2) accepts the EULA displayed by KLMS Agent on Samsung devices (security\r\nframework), (3) enters username and password in Team Viewer and (4) finally connects to the remote end.\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThis functionality heavily relies on using (abusing) the Accessibility Service.\r\nPress enter or click to view image in full size\r\nDecompiled code of the malware’s team viewer component. The Accessibility Service is used to see\r\nwhich node/view is currently displayed, locate the relevant button and automatically click on it.\r\nTeam Viewer is automatically configured by automatically entering username/password inside the\r\nright text views of the application.\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 9 of 16\n\nTo abuse Accessibility Services, the malware requests initial permissions. Yes, in theory, an end-user should not click “OK” to such a request, but let’s be honest, there are many pop-ups on a\r\nsmartphone \u0026 it’s not always clear to the end-user what they are authorizing. That’s how we end up\r\nwith an infected smartphone…\r\nDisabling notifications\r\nThe C\u0026C sends a command “disabledPackages” with a list of package names to disable notifications for. The bot\r\nprocesses those packages one by one, launches the notification settings panel and uses the Accessibility Service\r\nAPI to ensure the notification switch for the app is turned off.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 10 of 16\n\nThis is the part of the bot’s code that disables notification for an app. The bot opens the notification\r\nsettings for a given app. At this point, the method above gets called. It checks whether the\r\nnotification switch is already checked or not. If checked, it unchecks it. If not checked, it leaves it\r\nunchecked and continues to the next app.\r\nScreencast component\r\nThe C\u0026C may also send a “showScreen” which is implemented by the Screencast component of the bot.\r\nFirst of all, if the device is locked, the bot broadcasts a swipe action to unlock.\r\nIntent intent = new Intent(InjAccessibilityService.broadcast_swipe_unlock); // \"broadcast_swipe_to_u\r\nintent.putExtra(\"task\", 669);\r\nContext.this.sendBroadcast(intent);\r\nThen, it starts an activity that initiates screen capture.\r\nif(!this.active \u0026\u0026 this.mediaprojectmgr != null) { activity.startActivityForResult(this.mediaprojec\r\nThis should normally prompt the end user if s/he accepts screen capture: the bot handles this and automatically\r\naccepts it on user’s behalf.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 11 of 16\n\nWhen a screen capture is requested, the system normally displays a system UI pop-up asking for\r\nconfirmation. The code above checks this is the confirmation pop-up, that it requests screen capture\r\nfor the Video Player (the sample poses as a Video Player app) and automatically confirms \u0026\r\nremembers the choice.\r\nWhen a screenshot is ready, it is sent to the C\u0026C in base64 format.\r\nPress enter or click to view image in full size\r\nEncode bitmap in Base64 and send it to C\u0026C. If upload fails, stop screen cast service.\r\nUnless an error occurs, a new screenshot will be taken in a second. This can get pretty intensive and slow down\r\nthe phone, which probably explains why the bot displays a fake notification saying the phone is currently updating\r\nGoogle Play!\r\nthis.startForeground(0x74A, new Notification.Builder(this.getApplicationContext()).setContentTitle(\"G\r\nLocker component\r\nWhen the bot receives the “locked” command with a flag set to True, it sets the ringer to silent mode and displays\r\nan activity meant to have the victim believe a recovery is under progress. The displayed messages are initially the\r\nfollowing:\r\nAndroid system corrupted files recovery \u003c3e\u003e\r\nKernel version 2.1.0.3\r\nDO NOT TURN THE SYSTEM OFF\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 12 of 16\n\nThe mechanism to lock the device is simple: the message is displayed full screen, without navigation buttons, and\r\nthe bot prevents any window focus change. This results in the user being locked on the given screen.\r\nprivate void fullScreen() {\r\n this.getWindow().getDecorView().setSystemUiVisibility(0xF06); // SYSTEM_UI_FLAG_FULLSCREEN=4 | SYST\r\n}public void onWindowFocusChanged(boolean arg5) {\r\n super.onWindowFocusChanged(arg5);\r\n if(arg5) {\r\n this.fullScreen();\r\n }\r\n}\r\nWhen the C\u0026C sends a “locked” command with flag to False, the bot simply kills the locking activity and the\r\nvictim may resume its usage of the phone.\r\nPIN code component\r\nWhen the bot receives a “action_request_pin” command, it tries to steal the victim’s PIN. Depending on the\r\ndevice, it asks the victim to set a new password and steals it by monitoring the Accessibility API, or it steals the\r\ncurrent PIN by overlaying a fake PIN code request window.\r\nIf the C\u0026C provides a “approvedPin” command, the bot will additionally try to modify the current PIN with the\r\nnew value selected by the C\u0026C.\r\nPress enter or click to view image in full size\r\nTask of the PIN code component\r\nInstall component\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 13 of 16\n\nThe C\u0026C may send a list of apps to install via command “apks”. The applications are downloaded from a URL\r\nspecified in the command. The installation is performed by abusing the Accessibility API. The code is quite\r\nlengthy because there are many cases: check the event occurs in the system installer, if the app installer occurs in\r\nan alert dialog then automatically click to install. If the system is requesting permission to install from an external\r\nsource, authorize it etc.\r\nPress enter or click to view image in full size\r\nAutomatically authorizing install of APKs from external sources\r\nThe same component also deals with removal of applications. The command names are misleading “remove_all”\r\nuninstalls only Team Viewer, and “remove_by_id” removes a specified app. If the package name is “bot”, then the\r\nbot removes itself. A self “cleaning” command!\r\nPress enter or click to view image in full size\r\nProcessing C\u0026C commands to delete applications\r\nSound component\r\nThe C\u0026C may turn on or off the ringer via command “soundEnabled” followed by a boolean. Turning the ringer\r\non / off is performed simply by a call to setRingerMode .\r\nUSSD component\r\nThe bot may be instructed to call USSD (quick codes). For instance, we see it requests *101# which returns the\r\ncurrent subscription rate.\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 14 of 16\n\nPress enter or click to view image in full size\r\nCode calling a given phone number (USSD)\r\nSMS component\r\nThe bot has the capability to spy on incoming SMS and report the messages to the C\u0026C. This feature is quite\r\ncommon in malware, and performed by reading the incoming PDU — as usual.\r\nThe bot can also be instructed to send SMS specified by the “sms” command. The SMS is sent using the common\r\nsendTextMessage API.\r\nthis.sendSms(command.get(\"id\").toString(), command.get(\"phone_number\").getString(), command.get(\"mess\r\nUnsure / Do you know why? Contact me!\r\nWhen prem_flag is set, the bot sends a SMS to notify a new victim has “registered” to the botnet. The SMS is\r\nsent to phone number “0001”, which is strange because it should not correspond to anything. Unless there is a\r\ntrick with SMS filtering.\r\nPress enter or click to view image in full size\r\nCode in com.pmmynubv.nommztx.bot.components.h.k\r\nThe sound component implements a lengthy onAccessibilityEvent() method which handles events on settings,\r\npolicy and sound. I have not understood why this is necessary when setRingerMode does the job.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 15 of 16\n\nCode in com.pmmynubv.nommztx.bot.components.g.a\r\nFinally, in the SMS component ( com.pmmynubv.nommztx.bot.components.h.a ), it is not clear why the bot also\r\nimplements sending SMS by abusing the SMS application and automatically clicking through the nodes — when\r\nsendTextMessage does the job in far less lines of code 😏\r\n— the Crypto Girl\r\nSource: https://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nhttps://cryptax.medium.com/android-bianlian-payload-61febabed00a\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://cryptax.medium.com/android-bianlian-payload-61febabed00a"
	],
	"report_names": [
		"android-bianlian-payload-61febabed00a"
	],
	"threat_actors": [],
	"ts_created_at": 1775434637,
	"ts_updated_at": 1775791206,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8b641f6235c5773dbbdb49333ed826567030a832.pdf",
		"text": "https://archive.orkl.eu/8b641f6235c5773dbbdb49333ed826567030a832.txt",
		"img": "https://archive.orkl.eu/8b641f6235c5773dbbdb49333ed826567030a832.jpg"
	}
}