BianLian is a newly identified modular Android dropper that has been used in several recent banking trojan campaigns.
As with most Android malware, BianLian is downloaded from the Google Play Store disguised as a number of seemingly legitimate applications. It can also be delivered as an Android Package (APK) file direct from malicious links.
The dropper/malware is masquerading itself as simple applications that are always in demand, such as currency/rates calculators, device cleaners and even discounter Apps.
Once installed, BianLian will contact a command and control server using the Firebase Cloud Messaging service before deploying the payload. Payloads appear to be stored as binaries within the BianLian application, meaning that a new BianLian version must be produced in order for a different payload to be delivered.
As well as providing a means for threat actors to install their malware on affected devices, BianLian is also able to:
- send and receive calls or SMS messages
- execute commands and scripts
- lock the user out of the device
- perform code injection or overlay attacks
Further details here
Indicators of Compromise
SHA256 File Hashes