The malware, which FireEye identifies as Android.HeHe, is disguised as an Android security app. Upon installation, it contacts a command and control server, which responds with a list of specific phone numbers. If one of those numbers calls or sends a text message to the infected device, the malware intercepts the message or call, blocks device notifications, and removes all traces of the message or call from the device logs.
Text messages are forward to the command and control server, and phone calls are automatically silenced and rejected.
“Android malware variants are mushrooming,” FireEye researcher Hitesh Dharmdasani wrote in a blog post describing the malware. “Threats such as Android.HeHe and Android.MisoSMS reveal attackers’ growing interest in monitoring SMS messages and phone call logs. They also serve as a stark reminder of just how dangerous apps from non-trusted marketplaces can be.”
“We have seen Android malware doing premium text messaging and doing surveillance, but not often do we see it intercepting messages and phone calls,” Dharmdasani told CSO. “That’s the sort of thing we see malware heading towards, and it’s what I am at least a bit more concerned about.”