HenBox malware targets Chinese minority group

A new Android malware family dubbed HenBox is targeting a large online population based in China who have been the subject of numerous cyber-attacks in the past.
henbox
henbox

A new Android malware family dubbed HenBox is targeting a large online population based in China who have been the subject of numerous cyber-attacks in the past.

The app's name is based on metadata found in most of the malicious apps such as package names and signer detail.

HenBox was spotted masquerading as a variety of legitimate Android apps such as VPN and Android system apps and appears to primarily target the Uyghurs – a minority Turkish ethnic group that is primarily Muslim, according to a 13 March blog post.

At least some of the malware appeared to contain information that would appeal to Uyghurs with interest in or association with terrorist groups based on the a very specific third party app store in which the malware was spotted, researchers said.

The malware also targets devices made by Chinese manufacturer Xiaomi and those running the Xiaomi's Google Android based operating system.

HenBox also harvests all outgoing phone numbers with an “86” prefix, the country code for the People's Republic of China (PRC) and can also access the phone's cameras and microphone. The malware looks to steal personal and device information from several sources existing on the device including mainstream chat, communication, and social media apps that are already on a user's device and installs legitimate versions of applications that provide the advertised services in order to trick users into thinking they downloaded the correct application.

Some of the legitimate apps that are used as decoys can be found on Google Play but the malware laced versions have so far only been found on third party app stores. Henbox was linked to a malicious DroidVPN app yet researchers noted that about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps. 

The malware was linked to infrastructure used in separate targeted political attacks in South East Asia and attackers that have previously used PlugX, Zupdax, 9002, and Poison Ivy in attacks dating back to 2015. Researchers said the app has evolved over the last three years and that the vast majority of apps contain several native libraries and other components that allow them to achieve their objective.

“Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption,” researchers said in the blog. “These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more.”

In order to prevent infection researcher recommend users keep installed apps updated, review app permissions to see what the app is potentially capable of exploiting and avoid third-party app stores that may host pirated versions of paid apps from the Google Play app store.

Topics: