Security Architecture, Endpoint/Device Security, Endpoint/Device Security, Threat Management, Malware, Endpoint/Device Security, Endpoint/Device Security, Endpoint/Device Security

New Android malware disconnects calls, intercepts texts of victims

Researchers have discovered a new Android malware family that disguises itself as a security app, and intercepts the incoming texts and calls of victims.

According to Hitesh Dharmdasani, a malware researcher at FireEye who blogged about the threat on Tuesday, six variants of the Android malware, dubbed “HeHe,” have been detected by the firm.

On Wednesday, Dharmdasani told that the free app is most likely infecting users via third party app marketplaces or through SMS spam.

“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” Dharmdasani said.

He added that the malware appears to be targeting Korean users, as the malicious “Android security” app is written in that language.

Furthermore, HeHe malware also collects other phone data – such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers – and sends the information to the attacker-operated server. 

While other Android malware spread with the purpose of spying on its victims, has made its rounds in separate campaigns, Dharmdasani said that HeHe malware was interesting in that all SMS messages are intercepted by attackers – while incoming calls are disconnected selectively by the malware.

“The [command-and-control server] is expected to respond with a list of phone numbers that are of interest to the malware author,” Dharmdasani's blog post said. “If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.”

In his follow up interview, Dharmdasani explained that it's unclear what significance the list of phone numbers has, as it appears saboteurs don't want victims receiving calls from the numbers.

“There's no inbound communications,” Dharmdasani said of the victims who unknowingly download the HeHe Android malware.

“It doesn't matter whom the SMS came from, it will still get intercepted. But it will disconnect calls selectively,” he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.