A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser.
Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday by Hitesh Dharmdasani, a mobile malware researcher with FireEye.
The malware apparently comes disguised as a security update (“Android Security”) for the phone’s operating system and once it’s set in place, it contacts the command-and-control server and conducts surveillance on incoming SMS messages. The command-and-control server responds with a list of phone numbers that “are of interest to the malware author,” according to Dharmdasani. If one of those numbers sends an SMS or makes a call to a compromised device, the malware intercepts it, refrains from sending the device a notification and removes the message from the SMS history.
While text messages are logged and sent to the C&C, phone calls are outright silenced and rejected.
Other information, like the phone’s International Mobile Station Equipment Identity (IMEI) number, its phone number, SMS address and channel ID are also collected, converted into JSON, then a string and sent off to the C&C as well.
Further information like the phone’s model, operating system version, associated network (GSM/CDMA) are sent off to the C+C in the same fashion.
While the C&C has since gone offline, FireEye researchers were still able to analyze how the server processed responses.
While FireEye’s blog post goes into the malware much more in depth, including a technical discussion of the malware’s “sandbox-evasion tactic,” it’s further proof that threats against Android – and even more variants of those threats – are continuing to stack up.