Android malware returns and this time it will record what is on your screen, too

Malware which started life as a dropper is becoming more and more sophisticated.
Written by Danny Palmer, Senior Writer

An Android banking trojan has returned with improvements which allow it to record the screens of infected devices while also adding new techniques that help the malware remain hidden from victims.

First detailed by cybersecurity researchers at ThreatFabric in October last year, BianLian started life as a dropper for other forms of malware, most notably the Anubis banking malware, which has stolen funds from thousands of Android users around the globe.

But the cybercriminals behind BianLian soon changed their tactics, altering the code and re-purposing the malware into a banking trojan in its own right – repeatedly bypassing protections in the official Google Play app store as a means of distributing their malicious payload.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)

Now researchers at Fortinet have uncovered a new version of BianLian that suggests that those behind it are still providing regular updates to the malware in order to make it more potent and provide even better returns.

If a user downloads one of the malicious apps used to deliver BianLian, the first thing the application does is repeatedly ask for permission to use accessibility services and the additional functions this provides. This is a common tactic in Android malware that exploits a functionality intended to help make devices easier to use.

Once the relevant permissions have been granted, the malware's modules allow it to read, send and receive text messages and monitor and make calls, as well as allowing BianLian to run overlay attacks on banking applications and provide the attacker with the ability to lock the screen, making the device unusable for the user – likely an additional means of hiding malicious activity.

The new version of BianLian adds a screencast module, allowing the malware to record the screen of the device, a functionality that could allow attackers to monitor and store what's viewed by the user – a good way of secretly stealing information like usernames, passwords and other confidential information that could allow attackers to gain access to the payment data they want to steal.

In addition to the screen-recording ability, the new version of BianLian is equipped with a means of obfuscation that involves what researchers describe as "randomly generated garbage" in the code base.

The thinking behind this appears to be that the true functionality of the malware will be lost amongst all the code.

BianLian is still active and researchers warn that the malware is still being updated.

"BianLian seems to still be under active development. The added functionalities, even though not completely original, are effective and make this family a potentially dangerous one. Its code base and strategies put it on a par with the other big players in the banking malware space," said Dario Durando, Android malware analyst at Fortinet.

Researchers have provided a full list of Indicators of Compromise in their full analysis of the malware, as well as a list of all the banking applications targeted by BianLian.


Editorial standards