• Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
HackRead
  • January 26th, 2021
  • Home
  • Advertise
  • Privacy Policy
  • Contact Us
HackRead
  • Hacking News
    • Leaks
    • WikiLeaks
    • Anonymous
  • Tech
    • Android
    • Apple News
    • BlackBerry
    • Google News
    • Microsoft
    • Motorola
    • Nokia
    • Samsung
    • 3D
  • Cyber Crime
    • Phishing Scam
  • How To
  • Cyber Events
    • Censorship
    • Cyber Attacks
  • Security
    • Malware
  • Surveillance
    • Drones
    • NSA
    • Privacy
  • Explore
    • Gaming
    • Science
    • Viral
  • Follow us
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
Home
Technology News
Android

Android malware HenBox hits Xiaomi devices & minority group in China

March 14th, 2018 Waqas Security, Android, Malware, Surveillance 0 comments
Android malware HenBox hits Xiaomi devices & minority group in China
Share on FacebookShare on Twitter

The IT security researchers at Palo Alto Networks’ Unit 42 have identified an Android malware that has been dubbed as HenBox. The name HenBox has been chosen due to the metadata discovered in a majority of the infected apps including package name and signer information.

This malware is distributed with different types of legitimate Android apps such as Virtual Private Network (VPN) or other Android system-related apps. Users believe that they are installing authentic Android apps but in reality, the HenBox malware is being downloaded.

Some legitimate apps that contain HenBox are available on Google Play as well but most of them are uploaded to unauthentic, third-party app stores. The malware is suspected to target those with association with terrorist groups.

In a blog post published on March 13th, Palo Alto Networks revealed that HenBox’s primary targets are users in China particularly the Uyghurs, which is a minority, Turkic ethnic Muslim group. The malware is discovered to be containing information that is of interest to the Uyghurs. This community is located in North West China’s Xinjiang Uyghur Autonomous Region and smartphones are the primary source of internet access in this area, which is why it has a vast population of mobile users.

HenBox also targets devices manufactured by the renowned China-based mobile manufacturer Xiaomi and the devices that run on MIUI, a Google Android-based operating system developed by Xiaomi. Moreover, the malware is capable of gathering outgoing phone numbers that contain the prefix “86”. This happens to be the country code for the People’s Republic of China.

The malware can also access the microphone and camera of a device and attempts to steal private data as well as device information by using device sources of information like social media apps and mainstream chat. It also installs authentic versions of apps to deceive users into believing that they have downloaded legitimate apps.

HenBox is also linked to the malicious DroidVPN app while researchers observed that over half of the malware-laden apps contain embedded APK objects, which are not usually part of authentic apps.

Android malware HenBox hits Xiaomi devices & minority group in China

A fake DroidVPN app on a third-party store (Source: Palo Alto Networks)

There is also evidence that HenBox’s infrastructure has already been used in other politically-triggered attacks in South East Asia and in PlugX, 9002, Zupdax and Poison Ivy attacks from 2015. Over 200 samples of HenBox malware have so far been discovered by Unit 42.

[irp posts=”30504″ name=”China Caught Spying on Tibetan Activists and Neighbouring Countries”]

A majority of the samples were active from mid to late 2017 and only a handful of these samples were observed in 2015 and 2016. In 2018, the number of samples has remained small but there is definitely a consistency in attacks, which hints at the presence of a slowly but gradually gearing up to the campaign. The app has considerably improved in the past three years as it now contains various native libraries and components that help it in achieving its malicious objectives.

“Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more,” the blog post reads

To prevent infection, researchers suggest that apps must be updated timely and app permissions should be reviewed to check the capabilities of the app. Furthermore, it is important to not download apps from third-party app stores to avoid installation of pirated and infected versions. Users must always stick to trusted sources like Google Play Store for downloading apps.

  • Tags
  • Android
  • China
  • Google
  • Google Play
  • HenBox
  • Islam
  • Malware
  • Muslims
  • security
  • Spying
  • Technology
  • Terrorism
  • VPN
  • Xiaomi
Facebook Twitter LinkedIn Pinterest
Previous article Google to ban cryptocurrency and ICO ads from June 2018
Next article HotSpot Shield, PureVPN & ZenMate found leaking users real IP addresses
Waqas

Waqas

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Related Posts
Watch out as new Android malware spreads through WhatsApp

Watch out as new Android malware spreads through WhatsApp

SonicWall hacked after 0-day flaws exploited by hackers

SonicWall hacked after 0-day flaws exploited by hackers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Gamarue malware found in UK Govt-funded laptops for homeschoolers

Newsletter

Get the best stories straight into your inbox!



Don’t worry, we don’t spam

Latest Posts
Watch out as new Android malware spreads through WhatsApp
Security

Watch out as new Android malware spreads through WhatsApp

31
Man jailed after attempting to buy 3-year-old girl on dark web
Cyber Crime

Man jailed after attempting to buy 3-year-old girl on dark web

110
SonicWall hacked after 0-day flaws exploited by hackers
Hacking News

SonicWall hacked after 0-day flaws exploited by hackers

123

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in the United Kingdom.

Follow us