{ "id": "bcaf5b9f-55f2-4749-9fef-0b16c2b6023a", "created_at": "2026-04-06T00:17:38.83496Z", "updated_at": "2026-04-10T03:21:24.65439Z", "deleted_at": null, "sha1_hash": "f4ab4ff3380718ae38ef9bc7b8feac20f1134e01", "title": "Quick look into a new sample of Android/BianLian", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 293644, "plain_text": "Quick look into a new sample of Android/BianLian\r\nBy @cryptax\r\nPublished: 2022-06-09 · Archived: 2026-04-05 20:14:35 UTC\r\nIt’s Xmas time?! New BianLian samples to analyze thanks to @ni_fi_70 1 hour ago. Is that fresh enough? 😉\r\nGet @cryptax’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nLet’s look into doc_hy_0906_obf.apk , with SHA256:\r\n99e0053475ecd6a22b0e22b2441f0bf0a407b36be54e7d8220bb284c0bd494a8 .\r\nUnpacking\r\nIt is packed. Arg: my “JsonPacker” rule in APKiD doesn’t see it, I’ll have to fix that!\r\nAPKiD should have detected “JsonPacker”. It did not. That’s a bug, and it’s … my fault!\r\nFortunately, students of mine wrote an unpacker that worked fine. Nice!\r\nPress enter or click to view image in full size\r\nStatic unpacking of the malware. Of course, you can unpack dynamically too if you prefer.\r\nGetting the C2\r\nThis sample connects to a Tor onion website to retrieve the URL of the C2.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726\r\nPage 1 of 3\n\nThis first website is only there to distribute the URL of the C2\r\nToday, this website returns a base64 encoded string:\r\neyJkb21haW5zIjpbImh0dHA6XC9cL3NlcnZzZXJ2ZnJlZXVwZGF0ZS50b3AiLCJodHRwOlwvXC93YXluZWNvbm5lY3RpbmdzZXJ2a\r\nDecode it, and you get not 1 URL, but 3! That’s the first time I see that in BianLian, although the support for\r\nmultiple domains has been there for a long time.\r\n{\"domains\":[\"http:\\/\\/servservfreeupdate.top\",\"http:\\/\\/wayneconnectingservice.hk\",\"http:\\/\\/allupdat\r\nThe last one does not resolve (yet). The first 2 currently go to the same IP address 185.117.90.233 . The 3rd is\r\ndown. It has registered 4 other domain names that we will probably see in the future: managerupgradecert[.]xyz,\r\nwayneconnectingservice[.]com, auw[.]swiftabout[.]co[.]uk and uayv.rotlain[.]com.\r\nTargets\r\nThis C2 currently targets 438 mobile apps. 80% of those apps are mobile banking apps, 10% are for\r\ncryptocurrency, and the rest varies (mail applications, or just famous apps). The targeted countries are the usual\r\nones for the BianLian family. I can just highlight that it targets some French banks (a recent addition first seen in\r\nMay 2022), but does not target Austria, Australia or Singapore compared to other instances of BianLian.\r\nCode “novelties”\r\nThere are no added functionality compared to prior BianLian samples I analyzed, but the code’s organization has\r\nbeen improved with the addition of 3 new classes:\r\nBatteryOptimizationHandler. Handles doze mode. This existed before, but code was scattered in various\r\nlocations.\r\nDeviceSecurityHandler. Turns off Huawei and Samsung security centers.\r\nXiaomiAutostartHandler. Sets auto start for the malware in MiUI’s security center. I believe this is\r\nreferring to those panels.\r\nPress enter or click to view image in full size\r\nhttps://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726\r\nPage 2 of 3\n\n— Cryptax\r\nSource: https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726\r\nhttps://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://cryptax.medium.com/quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726" ], "report_names": [ "quick-look-into-a-new-sample-of-android-bianlian-bc5619efa726" ], "threat_actors": [], "ts_created_at": 1775434658, "ts_updated_at": 1775791284, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f4ab4ff3380718ae38ef9bc7b8feac20f1134e01.pdf", "text": "https://archive.orkl.eu/f4ab4ff3380718ae38ef9bc7b8feac20f1134e01.txt", "img": "https://archive.orkl.eu/f4ab4ff3380718ae38ef9bc7b8feac20f1134e01.jpg" } }