New Android malware disconnects calls, intercepts texts of victims

Share this article:

Researchers have discovered a new Android malware family that disguises itself as a security app, and intercepts the incoming texts and calls of victims.

According to Hitesh Dharmdasani, a malware researcher at FireEye who blogged about the threat on Tuesday, six variants of the Android malware, dubbed “HeHe,” have been detected by the firm.

On Wednesday, Dharmdasani told SCMagazine.com that the free app is most likely infecting users via third party app marketplaces or through SMS spam.

“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” Dharmdasani said.

He added that the malware appears to be targeting Korean users, as the malicious “Android security” app is written in that language.

Furthermore, HeHe malware also collects other phone data – such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers – and sends the information to the attacker-operated server. 

While other Android malware spread with the purpose of spying on its victims, has made its rounds in separate campaigns, Dharmdasani said that HeHe malware was interesting in that all SMS messages are intercepted by attackers – while incoming calls are disconnected selectively by the malware.

“The [command-and-control server] is expected to respond with a list of phone numbers that are of interest to the malware author,” Dharmdasani's blog post said. “If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.”

In his follow up interview, Dharmdasani explained that it's unclear what significance the list of phone numbers has, as it appears saboteurs don't want victims receiving calls from the numbers.

“There's no inbound communications,” Dharmdasani said of the victims who unknowingly download the HeHe Android malware.

“It doesn't matter whom the SMS came from, it will still get intercepted. But it will disconnect calls selectively,” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Researchers observe more than a hundred connections to 'Backoff' sinkhole

Researchers with Kaspersky Lab were able to sinkhole two command-and-control servers used by certain Backoff point-of-sale malware samples.

Judge lifts stay but Microsoft won't hand over emails during appeal

A judge has lifted a suspension of a previous order compelling Microsoft to hand over customer emails stored on a server in Ireland.

Home Depot investigates possible payment card breach

Home Depot investigates possible payment card breach

Home Depot said on Tuesday that it is working with its banking partners and law enforcement to investigate a possible data breach.