New “HenBox” Android Malware Discovered

A newly discovered Android malware family masquerades as various popular applications and can steal a broad range of information from infected devices, Palo Alto Networks warns.

Dubbed HenBox, the malware was observed installing the legitimate versions of apps it poses as to hide its presence on compromised devices. The threat is distributed via third-party app stores and mainly targets Uyghur, a minority Turkic ethnic group in the Xinjiang Uyghur Autonomous Region in North West China, and Xiaomi devices.

On the infected devices, HenBox can steal information from mainstream chat, communication, and social media apps. It gathers both personal and device information, can track the device’s location, can access the microphone and camera, and harvests outgoing phone numbers with an “86” prefix (the country code for the People’s Republic of China).

Palo Alto’s researchers discovered nearly 200 HenBox samples, the oldest dating back to 2015, but activity occured in the second half of 2017. A small but consistent number of samples has been observed this year as well.

While analyzing the mobile threat, Palo Alto connected it to infrastructure used in targeted attacks in South East Asia that used malware such as PlugX, Zupdax, 9002, and Poison Ivy.

One of the apps HenBox was observed masquerading as (in May 2016) is DroidVPN, which promises increased security and privacy and the ability to bypass regional Internet restrictions. The software was distributed via uyghurapps[.]net, and the researchers believe a vulnerable Apache Web Server on a Windows 32-Bit operating system was exploited to replace the legitimate app.

The HenBox app had the look and feel of DroidVPN and also contained a legitimate version of the app within its APK package as an asset, to hide any malicious behaviors occurring in the background. The malware authors even embedded HenBox with the same version of the legitimate DroidVPN variant available for download on the third-party store.

DroidVPN, however, is only one example. Other apps were also found, some in other third-party stores. One was a Uyghur language keyboard app, while another was masquerading as Android’s Settings app.

A third app was called “Islamawazi,” which is the name of the Turkistan Islamic Party, formerly East Turkestan Islamic Party, a purportedly Islamic extremist separatist organization founded by Uyghur jihadists.

“These examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups,” the researchers note.

The malware’s components are obfuscated in some way and are responsible for various functions, including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location, and more.

Once on a compromised device, HenBox is either executed by the victim – the app also checks whether it runs on a Xiaomi device with Xiaomi’s fork of Android and whether it runs in an emulator – or by using intents, broadcasts, and receivers – where the app is launched by another program.

Regardless of the execution method, a HenBox service is ultimately launched on the infected device, hidden from the user, and an ELF library is loaded to gather environmental information about the device, including running processes and apps, and device hardware information.

A customized super user tool is also loaded onto the device, to run privileged commands on the system. It can also steal messages and other data from popular messaging and social media apps, including Voxer Walkie Talkie Messenger and Tencent’s WeChat.

The HenBox infrastructure was found to be related to malware families used in targeted attacks against Windows users. “The overall image of these ties […] paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015,” Palo Alto notes.

In addition to third-party stores, where the vetting process is not as thorough as in Google Play or other official stores, the malicious HenBox apps might also be distributed via forums and file-sharing sites, or could be delivered to the intended victims as email attachments. Either way, the malware appears mainly focused on spying on Uyghur language users.

“The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign,” Palo Alto Networks concludes.

Related: Video Game Firms Targeted With “Paranoid” PlugX Malware

Related: Operation Cloud Hopper: China-based Hackers Target Managed Service Providers

view counter

Ionut Arghire is an international correspondent for SecurityWeek.

Previous Columns by Ionut Arghire:

Tags: