Top 5 Stories


New Android Malware Intercepts Calls and Texts

23 January 2014

Mobile malware victims may have several reactions upon discovering a smartphone infection, but chuckling is likely not one of them. Nonetheless, a new Android malware threat dubbed "HeHe" has been identified that steals text messages and intercepts and disconnects phone calls.

FireEye Labs researcher Hitesh Dharmdasani wasn’t laughing when he recently discovered six variants of a malicious app that bills itself as “Android Security,” and ostensibly looks to provide the users with an OS update. He described its activities in a forensic blog:

"It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."

HeHe is stealthy: The service runs in the background. Once started, it removes itself from the main menu of the phone, so the user has no simple way of detecting that the app is installed on the phone. It then goes on to check the network status of the phone.

The authors are apparently looking for certain types of content – presumably banking or password-related information – because calls and texts are screened against a table from the CnC. If an incoming message is of a wanted type, the app extracts the contents of the SMS and the phone number of the sender.

Also, if the first three characters of the phone number matches the first three characters from phone numbers in a different table, then the SMS is deleted from the device’s SMS inbox so that the user never sees it. Furthermore, the app will set the ringer mode of the phone to silent to suppress the notification of any incoming call whose first three characters match the table; and the phone call is disconnected. Its corresponding entry from the call logs is also removed, erasing all traces of the call from the device.

HeHe’s uses can be myriad, of course – from espionage to info-stealing to simple mischief. As always, users are encouraged to avoid rogue app stores and downloading anything that doesn’t come from a trusted source.

“Android malware variants are mushrooming,” Dharmdasani said. “Threats such as Android.HeHe and Android.MisoSMS reveal attackers’ growing interest in monitoring SMS messages and phone call logs. They also serve as a stark reminder of just how dangerous apps from non-trusted marketplaces can be.”

This article is featured in:
Application Security  •  Data Loss  •  IT Forensics  •  Malware and Hardware Security  •  Wireless and Mobile Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×