BianLian Android Dropper

BianLian is a newly identified modular Android dropper that has been used in several recent banking trojan campaigns.

As with most Android malware, BianLian is downloaded from the Google Play Store disguised as a number of seemingly legitimate applications. It can also be delivered as an Android Package (APK) file direct from malicious links.

The dropper/malware is masquerading itself as simple applications that are always in demand, such as currency/rates calculators, device cleaners and even discounter Apps.

Once installed, BianLian will contact a command and control server using the Firebase Cloud Messaging service before deploying the payload. Payloads appear to be stored as binaries within the BianLian application, meaning that a new BianLian version must be produced in order for a different payload to be delivered.

As well as providing a means for threat actors to install their malware on affected devices, BianLian is also able to:

• send and receive calls or SMS messages
• execute commands and scripts
• lock the user out of the device
• perform code injection or overlay attacks

Further details here

Indicators of Compromise

SHA256 File Hashes

• b2398fea148fbcab0beb8072abf47114f7dbbccd589f88ace6e33e2935d1c582
• 4cc68830a108b03171c01e0b0f42d5257982c51f3e39bbe7a3b712a7e4baa256
• f877c8e7d0e4efc2e583ecf0fcfe6e2470c23adf61f65b88e38042534ed77ddf
• 1096915523dbf1aa5b4b9269da5b6a3567d257d62b0bd6328c369c27d6ef6e76
• 3059e9ba1a6d2b17b40ad03ea507c3eddd3ea4fb2a45983a6763de9cff8ae8c4
• 0d0fc1ed4798e6c85ab7d693cc980f252d9b30d6d5acbbcab2e99bf7977f3c02
• a39b93b5e51521541de8df6f8965247ca7fbe628cae4a9e4cbf54cec508296a5
• c61da78ce2caf452196bdfc7d1e8f69a8b8ffc2ff316e4eb78ad92231f719d36
• a8aaf028e6e17886b22381a5a94d5a34c8e6848227b31edfa2855a603ba797ce
• a6e1b96156c8e2e3998af1c2a693a06f26d99eb6d2f7255abc7b34171ea8edc4
• 54db80da9b3b9137f61d3e844686ee1a675eb1d6dae9b0366cad5300c2767da3