Mobile malware victims may have several reactions upon discovering a smartphone infection, but chuckling is likely not one of them. Nonetheless, a new Android malware threat dubbed "HeHe" has been identified that steals text messages and intercepts and disconnects phone calls.
FireEye Labs researcher Hitesh Dharmdasani wasn’t laughing when he recently discovered six variants of a malicious app that bills itself as “Android Security,” and ostensibly looks to provide the users with an OS update. He described its activities in a forensic blog:
"It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."
HeHe is stealthy: The service runs in the background. Once started, it removes itself from the main menu of the phone, so the user has no simple way of detecting that the app is installed on the phone. It then goes on to check the network status of the phone.
The authors are apparently looking for certain types of content – presumably banking or password-related information – because calls and texts are screened against a table from the CnC. If an incoming message is of a wanted type, the app extracts the contents of the SMS and the phone number of the sender.
Read more: http://www.infosecurity-magazine.com/view/36576/new-android-malware-intercepts-calls-and-texts/
FireEye Labs researcher Hitesh Dharmdasani wasn’t laughing when he recently discovered six variants of a malicious app that bills itself as “Android Security,” and ostensibly looks to provide the users with an OS update. He described its activities in a forensic blog:
"It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected."
HeHe is stealthy: The service runs in the background. Once started, it removes itself from the main menu of the phone, so the user has no simple way of detecting that the app is installed on the phone. It then goes on to check the network status of the phone.
The authors are apparently looking for certain types of content – presumably banking or password-related information – because calls and texts are screened against a table from the CnC. If an incoming message is of a wanted type, the app extracts the contents of the SMS and the phone number of the sender.
Read more: http://www.infosecurity-magazine.com/view/36576/new-android-malware-intercepts-calls-and-texts/
(ok it was too easy) 
