BianLian Banking Trojan Adds Screen Recorder

Researchers have discovered a new version of the Android banking trojan BianLian that introduces the ability to record device screens and set of proxies.

Named after the Chinese art of “face-changing,” BianLian first appeared as a dropper in October 2018. But it quickly evolved and adopted banking trojan functionality, including overlay attacks that trick users (especially Turkish banking customers) into thinking they are interacting with their preferred financial institutions, when they are actually giving away their credentials to malicious actors.

Now, the addition of a screen recording module adds an intriguing spyware wrinkle, according to
researchers at Fortinet’s FortiGuard Labs, who uncovered the strain while undertaking their daily malware analysis. Indeed, in a July 3 company blog post, Fortinet analyst Dario Durando explained that this “Screencast Module” uses the Android package android.media.projection.MediaProjection to create a virtual display for screencasting.

“It first checks if the [device] screen is locked. If it is, it releases the lock and then starts its recording,” wrote Durando. The recording is started remotely, as with other functionalities, using FCM (Firebase Cloud Messaging).”

Another new module, the Socks5 Module, is designed to conceal malicious command-and-control communications by using the JSCH (Java Secure Channel) library to establish proxies capable of running SSH sessions via remote port forwarding on port 34500.

Initially detected as a heavily obfuscated APK, this latest known BianLian variant still possesses several key components found in older models, including modules that send, receive and log SMS messages; run USSD codes and make calls; and lock screens in order to prevent any interaction with the device.

Upon initial activation, BianLian’s first step is to hide is icon, after which time the malware relentless requests the user’s permission to abuse Accessibility services. If the user gives in and grants this permission, the malware will be granted the necessary power to initiate its malicious modules, Durando explained in the blog post.

“BianLian seems to still be under active development. The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one,” said Durando. “Its code base and strategies put it on a par with the other big players in the banking malware space.”