{"id":18820,"date":"2022-04-20T19:40:09","date_gmt":"2022-04-21T03:40:09","guid":{"rendered":"https:\/\/www.palada.net\/index.php\/2022\/04\/20\/news-12553\/"},"modified":"2022-04-20T19:40:09","modified_gmt":"2022-04-21T03:40:09","slug":"news-12553","status":"publish","type":"post","link":"https:\/\/www.palada.net\/index.php\/2022\/04\/20\/news-12553\/","title":{"rendered":"Android\/Bianlian Botnet Trying to Bypass Photo TAN Used for Mobile Banking"},"content":{"rendered":"<div class=\"aem-Grid aem-Grid--12 aem-Grid--default--12\" width=\"100%\" height=\"420\">\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\"><\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>\u00a0<\/p>\n<p><b>Affected Platforms:<\/b> Android<br \/> <b>Impacted Users: <\/b>Android End-Users<br \/> <b>Impact: <\/b>Banking Credential Leak + Remote Control<br \/> <b>Severity Level:<\/b> Medium<\/p>\n<p>We have been closely investigating the Android BianLian botnet (also known as Hydra). This <a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/new-wave-bianlian-malware\">botnet emerged in 2018<\/a>. It is still very alive in 2022, particularly active since the beginning of 2022, where we are closely monitoring at least three independent campaigns.<\/p>\n<p>The Android malware typically poses as a video player, Google Play app, or a mobile banking application. Once installed, it asks the victim to activate Accessibility Services for the app to \u201cwork correctly.\u201d In reality, this is needed by the malware to overlay images and validate forms without user interaction. Asking for Accessibility Services activation should raise an alarm in the victim\u2019s mind. Unfortunately, many won\u2019t understand this is not legitimate.<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-bianlian-botnet-mobile-banking\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649118798796\/fig-1.png\" alt=\"Figure 1: Malware asking to activate Accessibility Services. Unfortunately, many users will accept and won\u2019t understand this helps the malware capture gestures, click on forms without user\u2019s consent, etc.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 1: Malware asking to activate Accessibility Services. Unfortunately, many users will accept and won\u2019t understand this helps the malware capture gestures, click on forms without user\u2019s consent, etc.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Once this is done. It is game over. The installed application apparently disappears from the smartphone, leaving the victim under the impression that it did not work or crashed. In reality, the malware is running in the background and contacting a C2 for apps to monitor.<\/p>\n<p>Whenever the victim launches an app monitored by the threat actors, the malware downloads up-to-date HTML and images to inject on the smartphone. The injected web page is displayed as an overlay of the real app, but the victim has no way to see the trick. This is how threat actors get the mobile banking credentials of their victims.\u00a0It is important to note that this malware does not affect the targeted applications or exploit them in any way. Instead, it inserts itself between the user and the application to intercept the user&#8217;s credentials, much like a man-in-the-middle attack.<\/p>\n<\/p><\/div>\n<div class=\"video aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">\n<div class=\"video__container\">              <iframe loading=\"lazy\" class=\"youtube_embed\" src=\"https:\/\/www.youtube.com\/embed\/hvumI6oruSc?autoplay=0&#038;rel=0&#038;controls=0&#038;showinfo=0\" frameborder=\"0\" gesture=\"media\" allow=\"encrypted-media\" allowfullscreen width=\"100%\" height=\"420\" style=\"\"><\/iframe>      <\/div>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><i>Video Overview:<\/i> <i>Example of infection with Android Bian Lian malware. In this video, we mimic an existing C2 taken from another campaign (left hand side). On the right, a smartphone is infected with Bian Lian. Our fake C2 shows communication with the infected smartphone. The end-user activates Accessibility Services.\u00a0<\/i><\/p>\n<p><i>Note the infected Video Player disappears from the list of applications: the end-user can\u2019t see it any longer. Then, the end-user launches an application. See how the malware injects a fake login page. This login page actually \u201csits\u201d on top of the existing bank\u2019s app. The Bian Lian malware, running in the background, takes regular screenshots of the victim\u2019s smartphone. This is a way the malware can steal banking credentials.\u00a0<\/i><\/p>\n<p><i>Note the mobile banking apps are genuine and have no security flaw. The attack is conducted by the Bian Lian malware. (This research video has no sound.)<\/i><\/p>\n<p>During our investigations, we noticed the C2 is targeting European banks. It is also currently developing support for the Photo TAN some banks use. Photo TAN is a popular two-factor authentication method where the user scans a matrix shown on their PC, laptop, or tablet with the smartphone. This generates a TAN to verify online orders.<\/p>\n<p>We have downloaded the corresponding injected pages:<\/p>\n<\/p><\/div>\n<div class=\"cmp cmp-image aem-GridColumn--default--none aem-GridColumn aem-GridColumn--default--6 aem-GridColumn--offset--default--3\">               <noscript data-cmp-image=\"{&#34;smartImages&#34;:[],&#34;smartSizes&#34;:[],&#34;lazyEnabled&#34;:true}\">             <img decoding=\"async\" src=\"\/blog\/threat-research\/android-bianlian-botnet-mobile-banking\/_jcr_content\/root\/responsivegrid\/image_2015968854.img.png\/1649118400956\/img22222222.png\" alt=\"Figure 2: Corresponding injected pages.\"\/>         <\/noscript>          <span class=\"cmp-image--title\">Figure 2: Corresponding injected pages.<\/span>         <\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>Fortunately, the web pages are not ready yet:<\/p>\n<\/p><\/div>\n<div class=\"code-snippet aem-GridColumn--default--none aem-GridColumn aem-GridColumn--offset--default--4 aem-GridColumn--default--4\">      <link rel=\"stylesheet\" href=\"\/etc.clientlibs\/fortinet-blog\/components\/content\/code-snippet\/clientlib.min.css\" type=\"text\/css\"> <script type=\"text\/javascript\" src=\"\/etc.clientlibs\/fortinet-blog\/components\/content\/code-snippet\/clientlib.min.js\"><\/script>         <\/p>\n<pre><code class=\"language-clike\"><div style=\"color: rgb(0,0,0);font-family: Calibri;white-space: normal;\">inj\/com.db.pbc.phototan.db$ cat index.html<\/div> <div style=\"color: rgb(0,0,0);font-family: Calibri;white-space: normal;\">This is the message!<\/div> <div style=\"color: rgb(0,0,0);font-family: Calibri;white-space: normal;\">inj\/com.commerzbank.photoTAN$ cat index.html<\/div> <p>This is the message!<\/p> <\/code><\/pre>\n<\/p><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p><b>Fortinet customers are protected:<\/b><\/p>\n<ul>\n<li>The malware is detected as Android\/BianLian.10484!tr or Android\/Agent.FRJ!tr<\/li>\n<li>The malicious URLs of the C2 are blocked by our Web Filtering services<\/li>\n<li>The threat is being actively monitored by Fortinet\u2019s <a href=\"https:\/\/cts.fortiguard.com\/login\">Central Threat System<\/a> and our FortiRecon team.<\/li>\n<li>As much as possible, we are reaching out to concerned banks and trying to bring the botnet down.<\/li>\n<\/ul>\n<h2>IOC<\/h2>\n<ul>\n<li>a3b826de0c445f0924c50939494a26b0d99ef3ccac80faacca98673625656278<\/li>\n<li>hxxp:\/\/loa5ta2rso7xahp7lubajje6txt366hr3ovjgthzmdy7gav23xdqwnid[.]onion\/api\/mirrors<\/li>\n<li>hxxp:\/\/zhgggga[.]in<\/li>\n<\/ul>\n<h2>Targeted applications<\/h2>\n<p>The following applications are currently targeted by the C2. Note the list may change at any moment.<\/p>\n<ul>\n<li>At.aerztebank.aerztebankmobile<\/li>\n<li>At.bank99.meine.meine<\/li>\n<li>At.ing.diba.client.onlinebanking<\/li>\n<li>At.volksbank.volksbankmobile<\/li>\n<li>Com.bankaustria.android.olb<\/li>\n<li>Com.bawagpsk.bawagpsk<\/li>\n<li>Com.commerzbank.photoTAN<\/li>\n<li>Com.db.pbc.phototan.db<\/li>\n<li>Com.db.pwcc.dbmobile<\/li>\n<li>Com.easybank.easybank<\/li>\n<li>De.comdirect.app<\/li>\n<li>Mobile.santander.de.smartsign<\/li>\n<\/ul><\/div>\n<div class=\"cmp cmp-text aem-GridColumn aem-GridColumn--default--12\">\n<p>In addition to those banking apps, the C2 also monitors a few vendor PIN applications like <span style=\"font-family: Consolas;\"><span style=\"font-size: 11.0pt;\">samsung.settings.pas<\/span><\/span> or <span style=\"font-family: Consolas;\"><span style=\"font-size: 11.0pt;\">huawei.settings.pin<\/span><\/span><span style=\"font-size: 12.0pt;\"><span style=\"font-family: Cambria , serif;\">. <\/span><\/span>Those appear in all Android Bian Lian malware to help malware authors grab the PIN or unlock the screen.<\/p>\n<p>Many thanks to several colleagues who are helping for this investigation, in particular: David Malcher, Aamir Lakhani, Bhumit Mali, and Anil Aphale.<\/p>\n<p><i>Learn more about Fortinet\u2019s <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?utm_source=blog&amp;utm_campaign=fortiguard-labs\">FortiGuard Labs<\/a> threat research and intelligence organization and the FortiGuard Security Subscriptions and Services <a href=\"https:\/\/www.fortinet.com\/fortiguard\/labs?tab=security-bundles&amp;utm_source=blog&amp;utm_campaign=security-bundles\">portfolio<\/a>.<\/i><\/p>\n<\/p><\/div>\n<div class=\"raw-import aem-GridColumn aem-GridColumn--default--12\">\n<div class=\"text-container\">\n<div id=\"om-b2dxtopzidsdt3fkzfsv-holder\"><\/div>\n<\/div><\/div>\n<\/p><\/div>\n<p><a href=\"https:\/\/www.fortinet.com\/blog\/threat-research\/android-bianlian-botnet-mobile-banking\" target=\"bwo\" >http:\/\/feeds.feedburner.com\/fortinet\/blog\/threat-research<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"\/blog\/threat-research\/android-bianlian-botnet-mobile-banking\/_jcr_content\/root\/responsivegrid\/image.img.png\/1649118798796\/fig-1.png\"\/><br \/>FortiGuard Labs has been closely investigating the Android BianLian botnet (also known as Hydra). Although it emerged in 2018, it is still alive in 2022. Our blog provides a brief analysis as well as its new tricks.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10424,10378],"tags":[],"class_list":["post-18820","post","type-post","status-publish","format-standard","hentry","category-fortinet","category-security"],"_links":{"self":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18820","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18820"}],"version-history":[{"count":0,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18820\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18820"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18820"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18820"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}