Related Stories

  • Trojan Minecraft App Version Uses Smalihook to Defeat Certificate Signing
    A false version of the popular Android Minecraft PE app is being sold via Russian app stores for around half the price of the official app. Since third party app stores are not generally as thorough as Google's Play Store at finding and removing bad apps, they have become a popular means for distributing cloned and compromised apps.
  • 100% of Top Paid Android Apps Have Been Hacked
    Word that mobile malware is rather pervasive has been making the rounds for months, but a new report has found that a shocking 100% of the Top 100 paid Android apps and 56% of the Top 100 paid Apple iOS apps have been hacked. Averaged together, users have a 78% chance of running into an app that has been compromised at some point.
  • Premium Fraud Alert: MouaBad Android Variant Makes Secret Calls
    A new Android malware family has emerged in recent months, dubbed Mouabad. It gives third parties control over user devices and enables malicious parties to defraud victims via premium-rate SMS billing.
  • Amount of Mobile 'Madware' Spikes in Google Play
    Mobile malware focused at Google’s Android operating system is proliferating at a prodigious rate. But increasingly, a particularly unsavory brand of malicious adware – dubbed “madware” – has been making significant inroads to Google Play. Volume-wise, it came to be present in 23% of apps in the first half of 2013.
  • Google: Android Malware Threat is Vastly Exaggerated
    Legions of vendor reports have highlighted the sheer pervasiveness of Android malware: that there are now 1 million samples in the wild; and that 99% of all mobile malware is Android-related. Google however says that the actual threat has been vastly overblown, and that most malware is caught in its multi-layered defense strategy before users ever install it.

Top 5 Stories


New Android Malware Intercepts Calls and Texts

23 January 2014

Mobile malware victims may have several reactions upon discovering a smartphone infection, but chuckling is likely not one of them. Nonetheless, a new Android malware threat dubbed "HeHe" has been identified that steals text messages and intercepts and disconnects phone calls.

FireEye Labs researcher Hitesh Dharmdasani wasn’t laughing when he recently discovered six variants of a malicious app that bills itself as “Android Security,” and ostensibly looks to provide the users with an OS update. He described its activities in a forensic blog:

"It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."

HeHe is stealthy: The service runs in the background. Once started, it removes itself from the main menu of the phone, so the user has no simple way of detecting that the app is installed on the phone. It then goes on to check the network status of the phone.

The authors are apparently looking for certain types of content – presumably banking or password-related information – because calls and texts are screened against a table from the CnC. If an incoming message is of a wanted type, the app extracts the contents of the SMS and the phone number of the sender.

Also, if the first three characters of the phone number matches the first three characters from phone numbers in a different table, then the SMS is deleted from the device’s SMS inbox so that the user never sees it. Furthermore, the app will set the ringer mode of the phone to silent to suppress the notification of any incoming call whose first three characters match the table; and the phone call is disconnected. Its corresponding entry from the call logs is also removed, erasing all traces of the call from the device.

HeHe’s uses can be myriad, of course – from espionage to info-stealing to simple mischief. As always, users are encouraged to avoid rogue app stores and downloading anything that doesn’t come from a trusted source.

“Android malware variants are mushrooming,” Dharmdasani said. “Threats such as Android.HeHe and Android.MisoSMS reveal attackers’ growing interest in monitoring SMS messages and phone call logs. They also serve as a stark reminder of just how dangerous apps from non-trusted marketplaces can be.”

This article is featured in:
Application Security  •  Data Loss  •  IT Forensics  •  Malware and Hardware Security  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×