{
	"id": "5ace0547-9bd8-421b-aada-1af7096f540b",
	"created_at": "2026-05-05T02:45:55.845374Z",
	"updated_at": "2026-05-05T02:46:37.000113Z",
	"deleted_at": null,
	"sha1_hash": "947aa985a4a16bc9b1103a4ac045e1439efcd75b",
	"title": "BianLian - from rags to riches, the malware dropper that had a dream",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46587,
	"plain_text": "BianLian - from rags to riches, the malware dropper that had a\r\ndream\r\nPublished: 2024-10-01 · Archived: 2026-05-05 02:19:37 UTC\r\nIntro\r\nRecently, while analyzing our daily portion of APK files, searching for the new banking related threats, we found\r\na sample that was standing out among the others. While being seemingly benign, the sample was downloading and\r\ninstalling the infamous Anubis malware, which is responsible for financial losses of thousands of Android users\r\naround the globe, targeting more than 300 different apps.\r\nThe thorough investigation of this sample led us to uncover yet another malware dropper campaign on the Google\r\nPlay store - the main source of the applications for the vast majority of the Android users. The actors have\r\nmanaged to bypass the Play store protections on a regular basis, the first sample that we were able to attribute to\r\nthis campaign was built and uploaded to the store in the July 2018 and most recent one – on October 16th, so the\r\ncampaign is active for at least 3 months now:\r\nAs visible in the following chart, several different droppers were built through time, on quite a regular basis:\r\nOverlay targets\r\nThe injects are stored in the encrypted ZIP file in the assets folder and cannot be dynamically changed. Below is\r\nthe list of package names related to the Apps targeted by BianLian:\r\nPackage name App name\r\ncom.binance.dev Binance - Cryptocurrency Exchange\r\ncom.akbank.android.apps.akbank_direkt Akbank Direkt\r\ncom.akbank.android.apps.akbank_direkt_tablet_20 Akbank Direkt\r\ncom.akbank.android.apps.akbank_direkt Akbank Direkt\r\ncom.btcturk BtcTurk Bitcoin Borsası\r\ncom.finansbank.mobile.cepsube QNB Finansbank Cep Şubesi\r\ncom.garanti.cepsubesi Garanti Mobile Banking\r\ncom.garanti.cepsubesi_20 Garanti Mobile Banking\r\ncom.garanti.cepsubesi Garanti Mobile Banking\r\nhttps://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nPage 1 of 3\n\nPackage name App name\r\ncom.htsu.hsbcpersonalbanking HSBC Mobile Banking\r\ncom.ingbanktr.ingmobil ING Mobil\r\ncom.kuveytturk.mobil Mobil Şube\r\ncom.magiclick.odeabank Odeabank\r\ncom.pozitron.albarakaturk Albaraka Mobil Şube\r\ncom.pozitron.vakifbank VakıfBank Cep Şifre\r\ncom.pozitron.iscep İşCep\r\ncom.teb CEPTETEB\r\ncom.tmob.denizbank MobilDeniz\r\ncom.tmob.tabletd\u003e MobilDeniz Tablet\r\ncom.tmob.denizbank MobilDeniz\r\ncom.vakifbank.mobile VakıfBank Mobil Bankacılık\r\ncom.ykb.android Yapı Kredi Mobile\r\ncom.ykb.androidtablet Yapı Kredi Mobil Şube\r\ncom.ykb.android Yapı Kredi Mobile\r\nfinansbank.enpara Enpara.com Cepubesi\r\ntr.com.sekerbilisim.mbank ŞEKER MOBİL ŞUBE\r\ncom.ziraat.ziraatmobil Ziraat Mobil\r\ncom.tmobtech.halkbank Halkbank Mobil\r\nConclusion\r\nThis particular story of the new malware evolution shows that malware authors are always eager to explore new\r\nways to maximize their profits. After establishing a way to regularly upload the droppers to the Play Store, it was\r\na reasonable move for the malware author to work on adding new features to the Trojan, while still providing\r\ndropper service to the Anubis actors. We have seen only one version of the dropper with the new modules enabled,\r\nand there is a newer variant with the disabled modules, so we assume that the actor behind it is still testing his\r\nsetup.\r\nhttps://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nPage 2 of 3\n\nWe can imagine two possible ways for this story to develop: 1) The dropper authors still see an important source\r\nof revenue in dropping the Anubis malware and will have both malware running side by side on the infected\r\ndevices 2) There is no honor among thieves and the dropper author decide to pursue his own career in banking\r\nmalware and therefore stop dropping the Anubis malware, which we believe to be the most realistic option. 3) It is\r\nalso possible that the actor was just renting the Anubis Trojan while he was building his own malware, and when\r\nthis will be done, he will stop using the rented Anubis\r\nOnly time will tell us what path the actors will go.\r\nMobile Threat Intelligence\r\nOur threat intelligence solution – MTI, provides the context and in-depth knowledge of the past and present\r\nmalware-powered threats in order to understand the future of the threat landscape. Such intelligence, includes both\r\nthe strategic overview on trends and the operational indicators to discern early signals of upcoming threats and\r\nbuild a future-proof security strategy.\r\nClient Side Detection\r\nOur online fraud detection solution – CSD, presents financial institutions with the real-time overview on the risk\r\nstatus of their online channels and related devices. This overview provides all the relevant information and context\r\nto act upon threats before they turn into fraud. The connectivity with existing risk or fraud engines allows for\r\nautomated and orchestrated, round the clock fraud mitigation.\r\nIOC\r\nCanlı Döviz Takip \u0026 Çevir(com.ganatolii.android.apps) b2398fea148fbcab0beb8072abf47114f7dbbccd589f88ace6e33e293\r\nSpecial thanks\r\nA special thanks to the AVAST team and their APKLAB platform, which allowed us to search for additional\r\nsamples.\r\nSource: https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nhttps://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.threatfabric.com/blogs/bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html"
	],
	"report_names": [
		"bianlian_from_rags_to_riches_the_malware_dropper_that_had_a_dream.html"
	],
	"threat_actors": [],
	"ts_created_at": 1777949155,
	"ts_updated_at": 1777949197,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/947aa985a4a16bc9b1103a4ac045e1439efcd75b.pdf",
		"text": "https://archive.orkl.eu/947aa985a4a16bc9b1103a4ac045e1439efcd75b.txt",
		"img": "https://archive.orkl.eu/947aa985a4a16bc9b1103a4ac045e1439efcd75b.jpg"
	}
}