New Android malware disconnects calls, intercepts texts of victims

Share this article:

Researchers have discovered a new Android malware family that disguises itself as a security app, and intercepts the incoming texts and calls of victims.

According to Hitesh Dharmdasani, a malware researcher at FireEye who blogged about the threat on Tuesday, six variants of the Android malware, dubbed “HeHe,” have been detected by the firm.

On Wednesday, Dharmdasani told SCMagazine.com that the free app is most likely infecting users via third party app marketplaces or through SMS spam.

“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” Dharmdasani said.

He added that the malware appears to be targeting Korean users, as the malicious “Android security” app is written in that language.

Furthermore, HeHe malware also collects other phone data – such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers – and sends the information to the attacker-operated server. 

While other Android malware spread with the purpose of spying on its victims, has made its rounds in separate campaigns, Dharmdasani said that HeHe malware was interesting in that all SMS messages are intercepted by attackers – while incoming calls are disconnected selectively by the malware.

“The [command-and-control server] is expected to respond with a list of phone numbers that are of interest to the malware author,” Dharmdasani's blog post said. “If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.”

In his follow up interview, Dharmdasani explained that it's unclear what significance the list of phone numbers has, as it appears saboteurs don't want victims receiving calls from the numbers.

“There's no inbound communications,” Dharmdasani said of the victims who unknowingly download the HeHe Android malware.

“It doesn't matter whom the SMS came from, it will still get intercepted. But it will disconnect calls selectively,” he said.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

VBA malware on rise, templates make it easier to write code

VBA malware on rise, templates make it easier ...

Researchers at SophosLabs found an uptick in VBA samples in July.

Analysts spot 'Critolock,' ransomware claims to be CryptoLocker

Trend Micro noted several differences between Critolock and CryptoLocker, however.

Citadel used in APT attacks against petrochemical firms

Citadel used in APT attacks against petrochemical firms

In an interesting twist, financial malware Citadel was used to infect firms outside of the finance sector via APT attacks, Trusteer found.