FireEye Labs researcher Hitesh Dharmdasani wasn’t laughing when he recently discovered six variants of a malicious app that bills itself as “Android Security,” and ostensibly looks to provide the users with an OS update. He described its activities in a forensic blog:
"It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."
HeHe is stealthy: The service runs in the background. Once started, it removes itself from the main menu of the phone, so the user has no simple way of detecting that the app is installed on the phone. It then goes on to check the network status of the phone.
The authors are apparently looking for certain types of content – presumably banking or password-related information – because calls and texts are screened against a table from the CnC. If an incoming message is of a wanted type, the app extracts the contents of the SMS and the phone number of the sender.
Also, if the first three characters of the phone number matches the first three characters from phone numbers in a different table, then the SMS is deleted from the device’s SMS inbox so that the user never sees it. Furthermore, the app will set the ringer mode of the phone to silent to suppress the notification of any incoming call whose first three characters match the table; and the phone call is disconnected. Its corresponding entry from the call logs is also removed, erasing all traces of the call from the device.
HeHe’s uses can be myriad, of course – from espionage to info-stealing to simple mischief. As always, users are encouraged to avoid rogue app stores and downloading anything that doesn’t come from a trusted source.
“Android malware variants are mushrooming,” Dharmdasani said. “Threats such as Android.HeHe and Android.MisoSMS reveal attackers’ growing interest in monitoring SMS messages and phone call logs. They also serve as a stark reminder of just how dangerous apps from non-trusted marketplaces can be.”