HenBox

HenBox is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group.[1]

ID: S0544
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 17 December 2020
Last Modified: 12 April 2021

Techniques Used

Domain ID Name Use
Mobile T1433 Access Call Log

HenBox has collected all outgoing phone numbers that start with "86".[1]

Mobile T1432 Access Contact List

HenBox can access the device’s contact list.[1]

Mobile T1413 Access Sensitive Data in Device Logs

HenBox can monitor system logs.[1]

Mobile T1418 Application Discovery

HenBox can obtain a list of running apps.[1]

Mobile T1402 Broadcast Receivers

HenBox has registered several broadcast receivers.[1]

Mobile T1429 Capture Audio

HenBox can access the device’s microphone.[1]

Mobile T1512 Capture Camera

HenBox can access the device’s camera.[1]

Mobile T1412 Capture SMS Messages

HenBox can intercept SMS messages.[1]

Mobile T1605 Command-Line Interface

HenBox can run commands as root.[1]

Mobile T1533 Data from Local System

HenBox can steal data from various sources, including chat, communication, and social media apps.[1]

Mobile T1476 Deliver Malicious App via Other Means

HenBox has been distributed via third-party app stores.[1]

Mobile T1407 Download New Code at Runtime

HenBox can load additional Dalvik code while running.[1]

Mobile T1523 Evade Analysis Environment

HenBox can detect if the app is running on an emulator.[1]

Mobile T1430 Location Tracking

HenBox can track the device’s location.[1]

Mobile T1444 Masquerade as Legitimate Application

HenBox has masqueraded as VPN and Android system apps.[1]

Mobile T1575 Native Code

HenBox has contained native libraries.[1]

Mobile T1406 Obfuscated Files or Information

HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.[1]

Mobile T1424 Process Discovery

HenBox can obtain a list of running processes.[1]

Mobile T1426 System Information Discovery

HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.[1]

References