From 9a800ebec1098ae19565be1f2001af8a463671f8 Mon Sep 17 00:00:00 2001 From: Deborah Servili Date: Thu, 3 May 2018 10:57:39 +0200 Subject: [PATCH] add Henbox --- clusters/android.json | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/clusters/android.json b/clusters/android.json index 574c5e0..f006e85 100644 --- a/clusters/android.json +++ b/clusters/android.json @@ -4280,9 +4280,19 @@ ] }, "uuid": "3178ca72-2ded-11e8-846e-eb40889b4f9f" + }, + { + "value": "HenBox", + "description": "HenBox apps masquerade as others such as VPN apps, and Android system apps; some apps carry legitimate versions of other apps which they drop and install as a decoy technique. While some of legitimate apps HenBox uses as decoys can be found on Google Play, HenBox apps themselves are found only on third-party (non-Google Play) app stores. HenBox apps appear to primarily target the Uyghurs – a Turkic ethnic group living mainly in the Xinjiang Uyghur Autonomous Region in North West China. HenBox has ties to infrastructure used in targeted attacks, with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. HexBox apps target devices made by Chinese consumer electronics manufacture, Xiaomi and those running MIUI, Xiaomi’s operating system based on Google Android. Furthermore, the malicious apps register their intent to process certain events broadcast on compromised devices in order to execute malicious code. This is common practice for many Android apps, however, HenBox sets itself up to trigger based on alerts from Xiaomi smart-home IoT devices, and once activated, proceeds in stealing information from a myriad of sources, including many mainstream chat, communication and social media apps. The stolen information includes personal and device information.", + "meta": { + "refs": [ + "https://researchcenter.paloaltonetworks.com/2018/04/unit42-henbox-inside-coop/" + ] + }, + "uuid": "72c37e24-4ead-11e8-8f08-db3ec8f8db86§" } ], - "version": 7, + "version": 8, "uuid": "84310ba3-fa6a-44aa-b378-b9e3271c58fa", "description": "Android malware galaxy based on multiple open sources.", "authors": [