In the course of further research, we found a number of related samples that point to a long-term development process. The stolen information includes personal and device information.Īt the beginning of October 2017, we discovered new Android spyware with several features previously unseen in the wild. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores.
#HOW TO USE TEAMVIEWER ON WEBSITE TO CONNECT TO A PATTERN INSTALL#
HenBox apps masquerade as others such as VPN apps, and Android system apps some apps carry legitimate versions of other apps which they drop and install as a decoy technique.