The IT security researchers at Palo Alto Networks’ Unit 42 have identified an Android malware that has been dubbed as HenBox. The name HenBox has been chosen due to the metadata discovered in a majority of the infected apps including package name and signer information.
This malware is distributed with different types of legitimate Android apps such as Virtual Private Network (VPN) or other Android system-related apps. Users believe that they are installing authentic Android apps but in reality, the HenBox malware is being downloaded.
Some legitimate apps that contain HenBox are available on Google Play as well but most of them are uploaded to unauthentic, third-party app stores. The malware is suspected to target those with association with terrorist groups.
In a blog post published on March 13th, Palo Alto Networks revealed that HenBox’s primary targets are users in China particularly the Uyghurs, which is a minority, Turkic ethnic Muslim group. The malware is discovered to be containing information that is of interest to the Uyghurs. This community is located in the North West China’s Xinjiang Uyghur Autonomous Region and smartphones are the primary source of internet access in this area, which is why it has a vast population of mobile users.
HenBox also targets devices manufactured by the renowned China-based mobile manufacturer Xiaomi and the devices that run on MIUI, a Google Android-based operating system developed by Xiaomi. Moreover, the malware is capable of gathering outgoing phone numbers that contain the prefix “86”. This happens to be the country code for the People’s Republic of China.
The malware can also access microphone and camera of a device and attempts to steal private data as well as device information by using device sources of information like social media apps and mainstream chat. It also installs authentic versions of apps to deceive users into believing that they have downloaded legitimate apps.
HenBox is also linked to the malicious DroidVPN app while researchers observed that over half of the malware-laden apps contain embedded APK objects, which are not usually part of authentic apps.
A fake DroidVPN app on a third-party store (Source: Palo Alto Networks)
There is also evidence that HenBox’s infrastructure has already been used in other politically-triggered attacks in South East Asia and in PlugX, 9002, Zupdax and Poison Ivy attacks from 2015. Over 200 samples of HenBox malware have so far been discovered by Unit 42.
A majority of the samples were active from mid to late 2017 and only a handful of these samples were observed in 2015 and 2016. In 2018, the number of samples has remained small but there is definitely a consistency in attacks, which hints at the presence of a slowly but gradually gearing up to the campaign. The app has considerably improved in the past three years as it now contains various native libraries and components that help it in achieving its malicious objectives.
“Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more,” the blog post reads
To prevent infection, researchers suggest that apps must be updated timely and app permissions should be reviewed to check the capabilities of the app. Furthermore, it is important to not download apps from third-party app stores to avoid installation of pirated and infected versions. Users must always stick to trusted sources like Google Play Store for downloading apps.
