New Android malware disconnects calls, intercepts texts of victims

Share this article:

Researchers have discovered a new Android malware family that disguises itself as a security app, and intercepts the incoming texts and calls of victims.

According to Hitesh Dharmdasani, a malware researcher at FireEye who blogged about the threat on Tuesday, six variants of the Android malware, dubbed “HeHe,” have been detected by the firm.

On Wednesday, Dharmdasani told that the free app is most likely infecting users via third party app marketplaces or through SMS spam.

“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” Dharmdasani said.

He added that the malware appears to be targeting Korean users, as the malicious “Android security” app is written in that language.

Furthermore, HeHe malware also collects other phone data – such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers – and sends the information to the attacker-operated server. 

While other Android malware spread with the purpose of spying on its victims, has made its rounds in separate campaigns, Dharmdasani said that HeHe malware was interesting in that all SMS messages are intercepted by attackers – while incoming calls are disconnected selectively by the malware.

“The [command-and-control server] is expected to respond with a list of phone numbers that are of interest to the malware author,” Dharmdasani's blog post said. “If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.”

In his follow up interview, Dharmdasani explained that it's unclear what significance the list of phone numbers has, as it appears saboteurs don't want victims receiving calls from the numbers.

“There's no inbound communications,” Dharmdasani said of the victims who unknowingly download the HeHe Android malware.

“It doesn't matter whom the SMS came from, it will still get intercepted. But it will disconnect calls selectively,” he said.

Share this article:

Sign up to our newsletters

More in News

POS malware risks millions of payment cards for Michaels, Aaron Brothers shoppers

POS malware risks millions of payment cards for ...

An investigation dating back to January has finally confirmed that malware on point-of-sale systems may have compromised payment card data for millions of Michaels Stores and Aaron Brothers customers.

Phishing scam targets Michigan public schools

Unknown attackers used the finance director's email account to request wire transfers from the school district's accounting department.

Contempt order against Lavabit still stands, appeals court rules

Contempt order against Lavabit still stands, appeals court ...

A federal appeals court backed an earlier ruling penalizing the email service.