Android malware saves what is displayed on your screen

The BianLian virus is back on the Play Store and it combines six modules to steal a maximum of confidential data, including bank details. In particular, it is able to remotely record anything that appears on the screen.

Fortinet Cybersecurity Expert has released a ticket detailing a new attack on smartphones and tablets using the Android system, which aims to steal information from banking applications, but also other sensitive data.

The malware is adept at camouflage, which is why researchers named it BianLian, named after the Chinese living art where the artist regularly changes the mask imperceptibly. It had already been detected in 2018 but had a slightly different operation. It was not used to spy users, but to install other malware. Its developer was therefore focused on the camouflage, integrating it into fully functional applications to get good grades on the Play Store of Google and entice users to keep them as long as possible.

A malware that has evolved a lot

At the time, BianLian had become known as the Anubis malware installation system, which aimed to steal bank identifiers. This time, the application works alone and integrates different functions to steal the victims’ data. He starts by hiding his icon and constantly asks for permission to use certain features of Android’s accessibility services until the user agrees.

Once accessed, the malware has six modules to try to steal sensitive information. A first text module, to view the content of SMS and even send. A second module is used to make calls and use USSD codes, operator-specific commands that provide information, such as remaining call credit or enable options. A third module adds elements on top of other applications. For example, when entering its credentials on its banking application, the malware replaces the fields for the identifiers with false fields in order to steal the contents.

Bian Lian even sends screenshots

These are two other modules that have the most intrigued researchers. A Socks5 module creates an SSH server on the device, which allows secure communications that are difficult to detect with the malware command server. Another module allows saving the screen. This function can even be triggered remotely and unlock the device. Finally, the last module, simpler, just locks the screen to prevent the user to access the device once the data theft completed.

According to Fortinet, BianLian is still in active development, which gives rise to fears of new developments that are even more problematic. In the meantime, mobile antivirus (including Fortinet) should be able to detect it and be careful not to grant permissions to an app without understanding why.