New Android Malware Steals SMS Messages, Intercepts Calls

A new strain of Android malware has emerged that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls.

A new strain of Android malware has been spotted that masquerades as an Android security app but once installed, can steal text messages and intercept phone calls without the device’s owner being any the wiser.

Dubbed Android.HeHe, the malware has six variants according to a blog post yesterday by Hitesh Dharmdasani, a mobile malware researcher with FireEye.

The malware apparently comes disguised as a security update (“Android Security”) for the phone’s operating system and once it’s set in place, it contacts the command-and-control server and conducts surveillance on incoming SMS messages. The command-and-control server responds with a list of phone numbers that “are of interest to the malware author,” according to Dharmdasani. If one of those numbers sends an SMS or makes a call to a compromised device, the malware intercepts it, refrains from sending the device a notification and removes the message from the SMS history.

While text messages are logged and sent to the C&C, phone calls are outright silenced and rejected.

Other information, like the phone’s International Mobile Station Equipment Identity (IMEI) number, its phone number, SMS address and channel ID are also collected, converted into JSON, then a string and sent off to the C&C as well.

Further information like the phone’s model, operating system version, associated network (GSM/CDMA) are sent off to the C+C in the same fashion.

While the C&C has since gone offline, FireEye researchers were still able to analyze how the server processed responses.

While FireEye’s blog post goes into the malware much more in depth, including a technical discussion of the malware’s “sandbox-evasion tactic,” it’s further proof that threats against Android – and even more variants of those threats – are continuing to stack up.

Suggested articles


  • HeHe on

    Best name for malware ever.
  • Phil on

    this is great to know but how do we prevent it or how do we Detect it
  • **EJ** on

    The source of this file and how one comes to have it presented to them isn't clear. I've requested that info on the FireEye blog entry.
  • Spaz on

    If this is another one where you have to sideload the apk outside of playstore.. then people are getting what they deserve..

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.