New Henbox Malware Targets Minority Populations in China

Hackers are Using Subtitle Files to Hide Malware

A new strain of Android malware identified by Palo Alto Networks Unit 42, has been named HenBox. The IT Researchers found the description in the meta-data of the infected applications.  HenBox is infected into legitimate Android applications, applications like Virtual Private Networks (VPN) for example. While users are downloading what they believe to be legitimate products, from Google Play amongst other sites, they are simultaneously infected with HenBox.  Most downloads of this new malware come from inauthentic third-party app stores.

It is believed that this app targets individuals involved with terrorism.  Palo Alto Networks stated in a blog post on March 13th, that HenBox is chiefly aimed at targets in China amongst the minority Uyghurs population, a Turkish Muslim population.  The malware is marked with information specific to the Uyghurs.

The Uyghurs live in Northwest China in an autonomous Uyghur Region where smartphones are predominant and the only link to the outside world via the world wide web.  To add to this picture, HenBox is reportedly specifically aimed at penetrating the smartphones manufactured by Xiaomi of China that run on their MIUI Google-Android operating system.

HenBox is designed to specifically gather outgoing phone numbers calling numbers in China, that is, prefix “86”.  To add insult to injury, HenBox is capable of surveillance by activation of the camera and microphone functions on the Xiaomi smartphones, and it collects device information and private information mined from the user’s social media applications.  Penetration is enabled because the infected apps are installed and function legitimately.  HenBox infected apps contain hidden APK objects, which are not normally found in authentic applications. HenBox is also linked to DroidVPN, a well-known malware.

Palo Alto Networks collected more than 200 samples of HenBox dating mainly from the end of 2017, with a very small sample dating back to 2015 and 2016.  At this point the sample is small, but there is evidence that consistent attacks are slowly increasing in frequency, suggesting that the pace of infection will dramatically increase over time.  This is supported by the marked development of the malware into a more efficient tool with newly added native libraries and components that handle decryption, track the device location, gain user privileges, monitor system logs, load Dalvik code files, and network communications.

The evidence further supports that HenBox has been deployed in politically-motivated attacks all over South East Asia, and in PlugX, Zupdax, 9002and Poison Ivy attacks from 2015 attacks from 2015.

Researchers recommend that users protect themselves against HenBox by doing frequent updates, and by carefully monitoring app permissions.  Steer clear of third-party app stores and pirated versions of apps.  Trusted sources like Google Play Store remain the safest bet.