Threat Management, Malware

BianLian banking trojan adds screen recorder to face off against Android users

Researchers have discovered a new version of the Android banking trojan BianLian that introduces the ability to record device screens and set of proxies.

Named after the Chinese art of "face-changing," BianLian first appeared as a dropper in October 2018. But it quickly evolved and adopted banking trojan functionality, including overlay attacks that trick users (especially Turkish banking customers) into thinking they are interacting with their preferred financial institutions, when they are actually giving away their credentials to malicious actors.

Now, the addition of a screen recording module adds an intriguing spyware wrinkle, according to
researchers at Fortinet's FortiGuard Labs, who uncovered the strain while undertaking their daily malware analysis. Indeed, in a July 3 company blog post, Fortinet analyst Dario Durando explained that this "Screencast Module" uses the Android package to create a virtual display for screencasting.

"It first checks if the [device] screen is locked. If it is, it releases the lock and then starts its recording," wrote Durando. The recording is started remotely, as with other functionalities, using FCM (Firebase Cloud Messaging)."

Another new module, the Socks5 Module, is designed to conceal malicious command-and-control communications by using the JSCH (Java Secure Channel) library to establish proxies capable of running SSH sessions via remote port forwarding on port 34500.

Initially detected as a heavily obfuscated APK, this latest known BianLian variant still possesses several key components found in older models, including modules that send, receive and log SMS messages; run USSD codes and make calls; and lock screens in order to prevent any interaction with the device.

Upon initial activation, BianLian's first step is to hide is icon, after which time the malware relentless requests the user's permission to abuse Accessibility services. If the user gives in and grants this permission, the malware will be granted the necessary power to initiate its malicious modules, Durando explained in the blog post.

"BianLian seems to still be under active development. The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one," said Durando. "Its code base and strategies put it on a par with the other big players in the banking malware space."

Bradley Barth

As director of community content at CyberRisk Alliance, Bradley Barth develops content for SC Media online conferences and events, as well as video/multimedia projects. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.