FireEye Labs has recently discovered six variants of a new Android threat that steals text messages and intercepts phone calls.They are named this sample set “Android.HeHe” after the name of the activity that is used consistently across all samples.
Android.HeHe malware also collects other phone data such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers and sends the information to the attacker-operated server.
Here is a list of known bot variants:
It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author.
If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs.
Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.
The constructor of the HeHeActivity registers a handler using the android.os.Handle, which acts as a thread waiting for an object of type android.os.Message to perform different actions.
Android.HeHe malware also collects other phone data such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers and sends the information to the attacker-operated server.
Here is a list of known bot variants:
| MD5 | VirusTotal Detection Ratio |
| 1caa31272daabb43180e079bca5e23c1 | 2/48 |
| 8265041aca378d37006799975fa471d9 | 1/47 |
| 2af4de1df7587fa0035dcefededaedae | 2/45 |
| 2b41fbfb5087f521be193d8c1f5efb4c | 2/46 |
| aa0ed04426562df25916ff70258daf6c | 1/46 |
| 9507f93d9a64d718682c0871bf354e6f | 1/47 |
If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs.
Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.
The constructor of the HeHeActivity registers a handler using the android.os.Handle, which acts as a thread waiting for an object of type android.os.Message to perform different actions.
Android malware variants are mushrooming. Threats such as Android.HeHe and Android.MisoSMS reveal attackers’ growing interest in monitoring SMS messages and phone call logs.
They also serve as a stark reminder of just how dangerous apps from non-trusted marketplaces can be.
No comments:
Post a Comment