News

New BianLian Trojan spies on data entry in Android banking applications

In the arsenal of criminal groups arrived a new version of the BianLian malware.

Cybercriminals modified the Trojan, equipping it with additional attack capabilities on banking applications.

Experts of the Fortinet company investigated in detail a new copy of the malware.

According to experts, BianLian can now save the screen of an Android device, which helps cybercriminals steal credentials of online banking users.

Bian Lian — is an ancient Chinese dramatic art
During the installation process, BianLian is trying to obtain permission to use features for people with disabilities (Accessibility Services). As soon as the user grants him access, the attack phase begins. The malicious program can record any windows of financial applications using a screencast module, for which BianLian requires separate rights in the Android system.

Thus, the entire process of entering a user name, password, and payment card data is recorded and passed into the hands of intruders.

Previously, BianLian served as a dropper for another malware – Anubis. Its initial characteristics allow bypassing the detection of various protective mechanisms. For example, BianLian may penetrate Google Play.

According to the Fortinet report, this is the list of attacked banking applications:

  • com.akbank.android.apps.akbank_direkt
  • com.albarakaapp
  • com.binance.dev
  • com.btcturk
  • com.denizbank.mobildeniz
  • com.finansbank.mobile.cepsube
  • com.garanti.cepsubesi
  • com.ingbanktr.ingmobil
  • com.kuveytturk.mobil
  • com.magiclick.odeabank
  • com.mobillium.papara
  • com.pozitron.iscep
  • com.teb
  • com.thanksmister.bitcoin.localtrader
  • com.tmobtech.halkbank
  • com.vakifbank.mobile
  • com.ykb.android
  • com.ziraat.ziraatmobil
  • finansbank.enpara
  • tr.com.hsbc.hsbcturkey
  • tr.com.sekerbilisim.mbank
Conclusion

BianLian seems to still be under active development. The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one. Its code base and strategies put it on a par with the other big players in the banking malware space.

In addition, its new obfuscation technique, even though not very complicated, is still capable of tricking string-based detection, and would be very hard to detect with static analysis alone when encountered for the first time.

Polina Lisovskaya

I works as a marketing manager for years now and loves searching for interesting topics for you

Recent Posts

Remove Kabatibly.co.in Pop-up Ads

About Kabatibly.co.in Kabatibly.co.in pop-ups can not introduce out of nowhere. If you have clicked some…

11 hours ago

Remove Reditarcet.co.in Pop-up Ads

About Reditarcet.co.in Reditarcet.co.in pop-ups can not introduce out of the blue. If you have clicked…

11 hours ago

Remove Everestpeak.top Pop-up Ads

About Everestpeak.top Everestpeak.top pop-ups can not open out of the blue. If you have actually…

15 hours ago

Remove Firm-jawed.yachts Pop-up Ads

About Firm-jawed.yachts Firm-jawed.yachts pop-ups can not launch out of nowhere. If you have clicked some…

15 hours ago

Remove Anapurnatop.top Pop-up Ads

About Anapurnatop.top Anapurnatop.top pop-ups can not expose out of nowhere. If you have clicked on…

16 hours ago

Remove Boomira.com Pop-up Ads

About Boomira.com Boomira.com pop-ups can not open out of nowhere. If you have clicked on…

16 hours ago