Google’s Android Is consolidating its position as the most popular mobile operating system and primary attack target for malicious actors interested in compromising mobile devices.
“FireEye Labs has recently discovered six variants of a new Android threat that steals text messages and intercepts phone calls” (fireeye.com, 2014) called Android.HeHe”.
It is a Trojan horse for Android devices that blocks incoming calls and SMS messages from specific numbers and disguises as a genuine android security update also known as OS update. “It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages.he CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs.
TAny SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.” (fireeye.com, 2014)
The fire eye has discovered six variants of Android malware family as listed below;
|MD5||VirusTotal Detection Ratio|
Source: (fireeye.com, 2013)
How it works
“This app starts the main HeHe activity at startup. The constructor of the HeHeActivity registers a handler using the android.os.Handle, which acts as a thread waiting for an object of type android.os.Message to perform different actions, which are outlined below.
Because the HeHeActivity implements the standard DailogInterfaceOnClickListener, the start of the app causes the showAlterDailog message to be displayed
The app then sends an intent to start three services in the background. These services are explained below.
This app checks for the presence of an emulator by calling the isEmulator function, which does the following:
1. It checks the value of the MODEL of the device (emulators with the Google ADT bundle have the string “sdk” as a part of the MODEL variable).
2. It also checks to see if the IMSI code is “null” — emulators do not have an IMSI code associated with them.
This app uses two hard-coded IP address to locate its CnC servers: 22.214.171.124 and 126.96.36.199. The app performs all communications through HTTP POST requests. The contents of the HTTP POST are encrypted using AES with a 128-bit key that is hardcoded into the app. The app sends its lastVersion value —to 188.8.131.52, to address is where is used to check for , in which the app sends its version of the app. The address 184.108.40.206 is used to report incoming SMS messages
Because the IP address is no longer reachable, responses from the server could not be analyzed. What is clear is that the server sends a JSON object in response, which contains a “token” field.
Although the CnC server is currently unavailable, we can infer how the app works by examining the how it processes the received responses.
The app consists of different data structures that are converted into their equivalent JSON representations when they are sent to the CnC. Also, All JSON object responses are converted into their equivalent internal data structures. We have also observed the mechanism used to populate the internal database which includes tables (tbl_intercept_info) which contain the phone numbers to be blocked.
The app uses hxxp://220.127.116.11:9008 and hxxp://18.104.22.168:9008 to send information to the CnC server.
The mapping of URLs to their internal class data structures is as follows:
This request is sent when the app is first installed on the device. The bot sends the version code of the device (currently set to 1.0.0) to the CnC. The CnC response shall contain the URL to an update if available. The availability of an update is signified through an ‘update’ field in the response
Request to CnC to check for version
This request is sent when the app sends an intent with a “LOGIN” option to the RegisterService as explained above. The request contains the IMSI, IMEI, Phone number, SMS address (Phone number), Channel ID, a token and the IP address being used by the app as its CnC. This causes the infected device to be registered with the CnC.
This request is sent to further authenticate the device to the CnC, It contains the token previously received, the version of the Bot, the model of the phone, the version of the OS, the type of network and the other active network parameters such as signal strength. In response, It only gets a result value.
The report request sends the information present in tbl_report_info to the CnC. This table contains information about other requests that were sent but failed.
This requests asks for tasks from the CnC server. The response contains a retry interval and a sendSmsActionNotify value. It is sent when the response to the LoginRequest is 401 instead of 200.
This request to the CnC sends the contents of the SMS messages that are received on the device. It consists of the contents of the SMS message, the time of the message and the sender of the SMS. This has been observed in the logcat output as follows:
3. ” (fireeye.com, 2014)
:Experts say the existence of threats such as Andorid.MisoSMS and Android.HeHe show that cyber criminals are becoming more and more interested in monitoring SMS and phone calls.”(technomag.co.zw, 2014)
1. FireEye, Inc. , 2014, viewed on 23rd January 2014. From:http://www.fireeye.com/blog/technical/2014/01/android-hehe-malware-now-disconnects-phone-calls.html
2. TechnoMag, 2014, viewed on 24th January 2014. From: http://technomag.co.zw/2014/01/23/new-android-threat-%C2%A8android-hehe%C2%A8-exposed/