Researchers have identified a different Android malware family that conceals itself as a security app and intercepts the inbound texts and calls of victims. According to a malware researcher at FireEye who wrote about the new threat on Tuesday, six variants of the Android malware, now being called “HeHe,” have been detected by the security firm, all of which are below a detection rate of 3/48 on Virustotal.
“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” the researcher said.
He added that this malware seems to be aimed at Korean users because the malicious “Android security” app is written in that language.
In addition, HeHe malware also collects other phone data – including international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers and sends the data to two Command-and-control servers, which are hardcoded into the malware: 126.96.36.199 and 188.8.131.52.
“There are no inbound communications,” the researcher said of the victims who unknowingly download the HeHe Android malware. “It doesn’t matter whom the SMS came from, it will still get intercepted. But it will disconnect calls selectively,” he added.