add Henbox

clusters/android.json

@@ -4280,9 +4280,19 @@
         ]
       },
       "uuid": "3178ca72-2ded-11e8-846e-eb40889b4f9f"
+    },
+    {
+      "value": "HenBox",
+      "description": "HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.",
+      "meta": {
+        "refs": [
+          "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/"
+        ]
+      },
+      "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§"
     }
   ],
-  "version": 7,
+  "version": 8,
   "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa",
   "description": "Android malware galaxy based on multiple open sources.",
   "authors": [