Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

New “HenBox” Android Malware Discovered

A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns.

A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns.

Dubbed HenBox, the malware was observed installing the legitimate versions of apps it poses as to hide its presence on compromised devices. The threat is distributed via third-party app stores and mainly targets Uyghur, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in North West China, and Xiaomi devices.

On the infected devices, HenBox can steal information from mainstream chat, communication, and social media apps. It gathers both personal and device information, can track the device’s location, can access the microphone and camera, and harvests outgoing phone numbers with an “86” prefix (the country code for the People’s Republic of China).

Palo Alto’s researchers discovered nearly 200 HenBox samples, the oldest dating back to 2015, but activity occured in the second half of 2017. A small but consistent number of samples has been observed this year as well.

While analyzing the mobile threat, Palo Alto connected it to infrastructure used in targeted attacks in South East Asia that used malware such as PlugX, Zupdax, 9002, and Poison Ivy.

One of the apps HenBox was observed masquerading as (in May 2016) is DroidVPN, which promises increased security and privacy and the ability to bypass regional Internet restrictions. The software was distributed via uyghurapps[.]net, and the researchers believe a vulnerable Apache Web Server on a Windows 32-Bit operating system was exploited to replace the legitimate app.

The HenBox app had the look and feel of DroidVPN and also contained a legitimate version of the app within its APK package as an asset, to hide any malicious behaviors occurring in the background. The malware authors even embedded HenBox with the same version of the legitimate DroidVPN variant available for download on the third-party store.

DroidVPN, howeve
r, is only one example. Other apps were also found, some in other third-party stores. One was a Uyghur language keyboard app, while another was masquerading as Android’s Settings app.

Advertisement. Scroll to continue reading.

A third app was called “Islamawazi,” which is the name of the Turkistan Islamic Party, formerly East Turkestan Islamic Party, a purportedly Islamic extremist separatist organization founded by Uyghur jihadists.

“These examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups,” the researchers note.

The malware’s components are obfuscated in some way and are responsible for various functions, including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location, and more.

Once on a compromised device, HenBox is either executed by the victim – the app also checks whether it runs on a Xiaomi device with Xiaomi’s fork of Android and whether it runs in an emulator – or by using intents, broadcasts, and receivers – where the app is launched by another program.

Regardless of the execution method, a HenBox service is ultimately launched on the infected device, hidden from the user, and an ELF library is loaded to gather environmental information about the device, including running processes and apps, and device hardware information.

A customized super user tool is also loaded onto the device, to run privileged commands on the system. It can also steal messages and other data from popular messaging and social media apps, including Voxer Walkie Talkie Messenger and Tencent’s WeChat.

The HenBox infrastructure was found to be related to malware families used in targeted attacks against Windows users. “The overall image of these ties […] paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015,” Palo Alto notes.

In addition to third-party stores, where the vetting process is not as thorough as in Google Play or other official stores, the malicious HenBox apps might also be distributed via forums and file-sharing sites, or could be delivered to the intended victims as email attachments. Either way, the malware appears mainly focused on spying on Uyghur language users.

“The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign,” Palo Alto Networks concludes.

Related: Video Game Firms Targeted With “Paranoid” PlugX Malware

Related: Operation Cloud Hopper: China-based Hackers Target Managed Service Providers

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Mobile & Wireless

Infonetics Research has shared excerpts from its Mobile Device Security Client Software market size and forecasts report, which tracks enterprise and consumer security client...

Mobile & Wireless

Samsung smartphone users warned about CVE-2023-21492, an ASLR bypass vulnerability exploited in the wild, likely by a spyware vendor.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Fraud & Identity Theft

A team of researchers has demonstrated a new attack method that affects iPhone owners who use Apple Pay and Visa payment cards. The vulnerabilities...

Mobile & Wireless

Critical security flaws expose Samsung’s Exynos modems to “Internet-to-baseband remote code execution” attacks with no user interaction. Project Zero says an attacker only needs...

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Mobile & Wireless

Asus patched nine WiFi router security defects, including a highly critical 2018 vulnerability that exposes users to code execution attacks.