- SMB Spotlight
Six new variants of the notorious Android.HeHe data-stealing malware have been discovered targeting smartphone users.
FireEye threat researcher Hitesh Dharmdasani reported uncovering the malware in a blog post, confirming that they are all being spread via a number of bogus Android security services.
"FireEye Labs has recently discovered six variants of a new Android threat that steals text messages and intercepts phone calls," read the post.
"The app disguises itself as ‘Android security', advertising itself as an OS update. It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages."
Dharmdasani said when installed on an Android device, the malware grants its authors a variety of data-siphoning powers including SMS and call monitoring, remote-wipe and call-blocking powers.
All of the malwares reportedly let the hackers know the version number of the app that delivered the malware, the model of the infected phone, the Android version installed on the phone and the type of network associated with the device.
"The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs," explained Dharmdasani.
"Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."
The FireEye threat researcher confirmed the CnC server it had been studying has since gone inert, indicating that the authors of the malware were aware their racket had been compromised.
Director of security strategy at FireEye Jason Steer told V3 that businesses may be concerned by the added powers, as the malware could be used to siphon corporate data.
“This branch of apps are clearly designed for intelligence gathering – doing nothing other than collecting information that the attackers can use. If this was a banking attack, for example, one may see the exfiltration of SMS codes to other infrastructure or if was a corporate attack we may see other information being exfiltrated such as mails, messages and GPS details. So the fact that so little is taken would indicate this is quite narrow and gathering some information on specific phone numbers to target.”
Steer told V3 that FireEye expects to uncover more Android malware in the very near future. “Android malware will continue to grow as more consumers buy good quality handsets and businesses adopt the BYOD model – the lack of maturity in the mobile industry enables attackers to be very successful with both targeted and broad attacks and until security is better baked into Android, attacks will continue to grow,” he said.
Steer's forecast mirrors that of numerous other technology companies. Network giant Cisco, confirmed its research shows 99 percent of all mobile malware is designed to target the Android platform earlier this month.