loader gif

New BianLian variant comes with screen recording and creating SSH server capabilities

New BianLian variant comes with screen recording and creating SSH server capabilities
  • BianLian Trojan will load both its old and new modules in order to abuse the Accessibility services on the infected Android device.
  • The trojan’s new modules include capabilities for recording device screen and creating an SSH server.

Researchers from FortiGuard Labs have spotted a new variant of BianLian banking trojan that includes two new modules designed to record the screens of infected Android devices and to create an SSH server.

What's different in the new variant?

This updated variant is distributed in the form of a heavily obfuscated APK that relies on generating a variety of random functions in order to hide the real functionalities of the trojan.

Researchers noted that the malicious application hides its icon and requests permission to abuse Accessibility services functionalities such as inspecting window contents, observing the card numbers and passwords entered into various other Android apps.

Once users grant permissions, the BianLian Trojan will load both its old and new modules in order to abuse the Accessibility services on the infected Android device.

Old modules

The banking trojan’s old modules include sending, receiving, and logging SMS messages, running USSD codes and making calls, executing overlay attacks on banking applications, and locking the screen.

New modules

New modules include capabilities for recording device screen, and creating an SSH server.

  • The screencast module allows the malware to record its victims’ device screens after unlocking the screen by creating a virtual display using the android.media.projection.MediaProjection Android package.
  • The Socks5 component allows the malware to create a functioning SSH server on the infected device using JSCH (Java Secure Channel), a library that implements SSH2 in pure Java.

Using this SSH server, BianLian will tunnel its command and control (C2) communication channels using an SSH proxy that employs port forwarding on port 34500 to conceal the C2 traffic from detection.

Additional capability

This trojan also drops a malicious payload on the infected Android devices which enables it to check if ‘Google Play Protect is active through the Google SafetyNet API’.

“The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one. Its code base and strategies put it on a par with the other big players in the banking malware space,” FortiGuard Labs researchers wrote.

loader gif