BianLian is a sophisticated and evolving banking trojan that primarily targets Android devices. First observed in 2018, BianLian is known for its complex and constantly evolving nature, making it a significant challenge for mobile security experts. The BianLian banking trojan is disseminated on the Google Play store. Once activated, the malware waits for instructions from Firebase, Google’s platform for creating mobile apps. Attackers were able to use Firebase to issue commands to compromised devices. This trojan employs many common techniques, including SMS interception, the ability to lock the device, and overlay attacks to steal credentials.
The name “BianLian” derives from a Chinese opera face-changing technique, highlighting its ability to change tactics and evade detection. The authors of this trojan are known as Hydra, and they’ve continued to advance the malware’s capabilities. In April 2022, a version of the trojan was discovered with capabilities for bypassing photoTAN, an authentication method banks employ to verify online orders. This trojan has been used to target banks in Turkey and Europe.
This trojan applies several techniques to evade detection, including:
- The malware detects if a request came from Google Play Protect. If detected, the trojan functions as a regular app to avoid detection.
- In subsequent releases, the trojan detected if Google Play Protect was running and deactivated the service before the request.
- The attackers obfuscated the code to make the malware more difficult to research.
Threats Posed by BianLian to Mobile Banking Apps
- Overlay Attacks: BianLian is adept at overlay attacks, a technique that displays a fake login screen or user interface on top of legitimate apps, including mobile banking apps. When users enter their login credentials, they unknowingly provide them to the attacker. Overlay attacks make it difficult for users to distinguish between genuine and fake interfaces.
- Accessibility Services Abuse: BianLian abuses Android’s accessibility services designed to assist users with disabilities. By gaining access to these services, the trojan can observe user actions and manipulate app behavior, including interacting with mobile banking apps.
- Dynamic Code Loading: BianLian often uses dynamic code loading techniques, downloading malicious code from remote servers during runtime. Dynamic code loading enables the trojan to change its behavior without requiring a full app update, making it more adaptable to security measures.
- Data Theft: BianLian can capture sensitive information such as login credentials, one-time passwords (OTPs), and personal data. It can also steal SMS messages containing financial transaction details, compromising user accounts.
- Remote Control: The trojan may establish a connection to a command and control (C2) server controlled by attackers. This control server connection allows remote control of infected devices, enabling attackers to initiate unauthorized transactions and manipulate device settings.
- Persistence: BianLian is known for its ability to maintain persistence on infected devices, ensuring that it remains active and can continue to steal information over time.
Mitigating the Threat of BianLian
To protect your mobile banking app and its users from the BianLian banking trojan and similar threats, consider implementing the following security measures:
- Regular Updates: Keep your mobile banking app up-to-date with the latest security patches and enhancements to address known vulnerabilities.
- User Education: Educate users about downloading the official app from trusted sources and being cautious with app permissions.
- Multi-factor Authentication (MFA): Encourage users to enable MFA for their accounts to add an extra layer of security.
- Real-time Monitoring: Implement real-time monitoring to detect and respond to suspicious activities within your app and network traffic.
- Secure Coding: Follow safe coding practices to prevent vulnerabilities in your app’s code, including input validation, data encryption, and secure API communication.
- Third-party Library Review: Carefully review and vet third-party libraries or components used in your app for potential security risks.
- Collaborate with Security Experts: Work with cybersecurity experts to conduct security assessments, code reviews, and penetration testing to identify and address your app’s security weaknesses.
- Incident Response Plan: Develop an incident response plan to respond to security incidents or breaches effectively.
Learn More about Banking Trojan Families
BianLian is one of the principal families of banking trojans threatening mobile banking and financial apps. Learn more about other prominent banking trojan families:
- Medusa Trojan
- Cerberus Trojan