HenBox: The Chickens Come Home to Roost

This post is also available in: 日本語 (Japanese)

Summary

Unit 42 recently discovered a new Android malware family we named “HenBox” masquerading as a variety of legitimate Android apps.  We chose the name “HenBox” based on metadata found in most of the malicious apps such as package names and signer detail. HenBox masquerades as apps such as VPN and Android system apps and often installs legitimate versions of these apps along with HenBox to trick users into thinking they downloaded the legitimate app. While some of the legitimate apps HenBox use as decoys can be found on Google Play, HenBox apps themselves have only been found on third-party (non-Google Play) app stores.
HenBox appears to primarily target the Uyghurs – a minority Turkic ethnic group that is primarily Muslim and lives mainly in the Xinjiang Uyghur Autonomous Region in North West China. It also targets devices made by Chinese manufacturer Xiaomi and those running MIUI, an operating system based on Google Android made by Xiaomi. Smartphones are the dominant form of internet access in the region and Xinjiang was recently above the national average of internet users in China. The result is a large online population who have been the subject of numerous cyber-attacks in the past.
Once installed, HenBox steals information from the devices from a myriad of sources, including many mainstream chat, communication, and social media apps. The stolen information includes personal and device information. Of note, in addition to tracking the compromised device’s location, HenBox also harvests all outgoing phone numbers with an “86” prefix, which is the country code for the People’s Republic of China (PRC). It can also access the phone’s cameras and microphone.
HenBox has ties to infrastructure used in targeted attacks with a focus on politics in South East Asia. These attackers have used additional malware families in previous activity dating to at least 2015 that include PlugX, Zupdax, 9002, and Poison Ivy. This also aligns with HenBox’s timeline, as in total we have identified almost 200 HenBox samples, with the oldest dating to 2015. Most of the samples we found date from the last half of 2017, fewer samples date from 2016, and a handful date back to 2015. In 2018, we have already observed a small but consistent number of samples. We believe this indicates a fairly sustained campaign that has gained momentum over recent months.

HenBox Enters the Uyghur App Store
In May 2016, a HenBox app was downloaded from uyghurapps[.]net. Specifically, the app was an Android Package (APK) file that will be discussed in more detail shortly. The domain name, language of the site and app content hosted suggest this site is a third-party app store for whom the intended users are the Uyghurs. Such app stores are so-called because they are not officially supported by Android, nor are they provided by Google, unlike the Play Store. Third-party app stores are ubiquitous in China for a number of reasons including: evermore powerful Chinese Original Equipment Manufacturers (OEM), a lack of an official Chinese Google Play app store, and a growing smartphone market.
The HenBox app downloaded in May 2016 was masquerading as the DroidVPN app. At the time of writing, the content served at the given URL on uyghurapps[.]net, is now a legitimate version of the DroidVPN app, and looks as shown in Figure 1 below.

Figure 1 Uyghurapps[.]net app store showing the current DroidVPN app

Virtual Private Network (VPN) tools allow connections to remote private networks, increasing the security and privacy of the user’s communications. According to the DroidVPN app description, it “helps bypass regional internet restrictions, web filtering and firewalls by tunneling traffic over ICMP.” Some features may require devices to be rooted to function and according to some 3rd party app stores, unconditional rooting is required, which has additional security implications for the device.
We have not been able to ascertain how the DroidVPN app on the uyghurapps[.]net app store was replaced with the malicious HenBox app; however, some indicators point to the server running an outdated version of Apache Web Server on a Windows 32-Bit operating system. In light of this, we believe an attack against unpatched vulnerabilities is a reasonable conjecture for how the server was compromised.
The HenBox app downloaded in May 2016, as described in Table 1 below, masquerades as a legitimate version of the DroidVPN app by using the same app name “DroidVPN” and the same iconography used when displaying the app in Android’s launcher view, as highlighted in Figure 2 below Table 1.

Table 1 Details of the HenBox DroidVPN app on the uyghurapps[.]net app store

Figure 2 HenBox app installed, purporting to be DroidVPN

Depending on the language setting on the device, and for this particular variant of HenBox, the installed HenBox app may have the name “Backup” but uses the same DroidVPN logo. Other variants use other names and logos, as described later.
Given the DroidVPN look and feel being used by this variant of HenBox, it’s highly likely the uyghurapps[.]net page for DroidVPN remained identical when serving either HenBox or DroidVPN apps, just that the legitimate APK file had been replaced with HenBox for an unknown period of time.
In addition to the look and feel of DroidVPN, this HenBox variant also contained a legitimate DroidVPN app within its APK package as an asset, which could be compared to a resource item within a Windows Portable Executable (PE) file. Once the HenBox app is installed and launched, it launches an install process for the embedded app as a decoy to other malicious behaviors occurring in the background, and to satisfy the victim with the app they were requesting, assuming they requested to download a particular app, such as DroidVPN.
The version of the legitimate DroidVPN embedded inside this HenBox variant is the same version of DroidVPN available for download from uyghurapps[.]net, at the time of writing. It’s worth noting, newer versions of the DroidVPN app are available on Google Play, as well as in some other third-party app stores, which could indicate uyghurapps[.]net is not awfully well maintained or updated to the latest apps available.
At the time of writing, to our knowledge no other third-party app stores, nor the official Google Play store, were or are hosting this malicious HenBox variant masquerading as DroidVPN.

The Right App at the Right Time
The malicious HenBox and embedded DroidVPN app combination is one instance of the type of legitimate apps the attackers choose to mimic to compromise their victims. These threat actors frequently offer malicious apps purporting to be legitimate apps that are broadly used or important to a targeted population. It’s worth noting however, about one-third of the HenBox apps contained embedded APK objects that did not refer to legitimate apps. Some were only 3 bytes long, containing strings such as “ddd” and “333”, or were otherwise corrupted.
Beyond the previously mentioned DroidVPN example, other viable embedded apps we found include apps currently available on Google Play, as well as many third-party app stores. Table 2 below lists some of these apps with their respective metadata.

Table 2 Example HenBox variants containing embedded apps

Sample 1 marks the first HenBox sample we saw embedding a legitimate app within its assets to be dropped and installed on the victim device as a decoy. The legitimate app in question was a Uyghur language keyboard app targeted at native speakers of the Uyghur language and their smartphones.
Sample 2, has the package name cn.android.setting masquerading as Android’s Settings app, which has a similar package name (com.android.settings). This variant of HenBox also used the common green Android figure as the app logo and was named 设置 (“Backup” in English). This variant’s app name, along with many others, is written in Chinese and describes the app as a backup tool. Please see the IOCs section for all app and package name combinations. Interestingly, the embedded app in sample 2 is not a version of the Android Settings app but instead the “Amaq Agency” app, which reports on ISIS related news. Reports indicate fake versions of the Amaq app exist, likely in order to spy on those that use it.
A month after observing sample 2, we obtained another which used the same package name as sample 2 (cn.android.setting). However, this time the app name for both HenBox and the embedded app were identical: Islamawazi.  Islamawazi is also known as the Turkistan Islamic Party or “TIP”. This organization was formerly known as the East Turkestan Islamic Party and is purported to be an Islamic extremist separatist organization founded by Uyghur jihadists. The embedded app appears to be a media player.
These examples, together with the HenBox app placed on a very specific third-party app store, point clearly to at least some of the intended targets of these malicious apps being Uyghurs, specifically those with interest in or association with terrorist groups. These threat actors appear to be choosing the right apps – those that could be popular with locals in the region, at the right time – while tensions grow in this region of China, to ensure a good victim install-base.

HenBox Roosts
HenBox has evolved over the past three years, and of the almost two hundred HenBox apps in AutoFocus, the vast majority contain several native libraries as well as other components in order to achieve their objective. Most components are obfuscated in some way, whether it be simple XOR with a single-byte key, or through the use of ZIP or Zlib compression wrapped with RC4 encryption. These components are responsible for a myriad of functions including handling decryption, network communications, gaining super-user privileges, monitoring system logs, loading additional Dalvik code files, tracking the device location and more.
The remainder of this section describes at a high-level what HenBox is capable of, and how it operates. The description is based on analysis of the sample described in Table 3 below, which was of interest given its C2 domain mefound[.]com overlaps with PlugX, Zupdax, and Poison Ivy malware families discussed in more detail later.

Table 3 HenBox variant used in description

Once this variant of HenBox is installed on the victim’s device, the app can be executed in two different ways:
One method for executing HenBox is for the victim to launch the malicious app (named “Backup”, in this instance) from the launcher view on their device, as shown in Figure 3 below. This runs code in the onCreate() method of the app’s MainActivity class, which in effect is the program’s entry point. This process is defined in the app’s AndroidManifest.xml config file, as shown in the following snippet.

Figure 3 HenBox app installed and visible on Android's Launcher view

Doing so executes code checking if the device is manufactured by Xiaomi, or if Xiaomi’s fork of Android is running on the device. Under these conditions, the app continues executing and the intent of targeting Xiaomi devices and users could be inferred, however poorly written code results in execution in more environments than perhaps intended; further checks are made to ascertain whether the app is running on an emulator, perhaps to evade researcher analysis environments. Assuming these checks pass, one of the main ELF libraries is loaded that orchestrates other components and provides functionality to the app’s Dalvik code through the Java Native Interface (JNI).
HenBox checks whether this execution is its first by using Android’s shared preferences feature to persist XML key-value pair data. If it is the first execution, and if the app’s path does not contain “/system/app” (i.e. HenBox is not running as a system app), another ELF library is loaded to aid with executing super-user commands.
The second method uses intents, broadcasts, and receivers to execute HenBox code. Providing the app has registered an intent to process particular events from the system, and one of said events occurs, HenBox is effectively brought to life through external stimulus from another app on the system broadcasting a request, or the system itself broadcasting a particular event has occurred. These intents are typically defined statically in the app’s AndroidManifest.xml config file; some HenBox variants register further intents from their code at run-time. Once a matching intent is triggered, the respective Receiver code will be executed, leading to other HenBox behaviors being launched, which are described later. Table 4 below lists the intents that are statically registered in this HenBox variant’s AndroidManifest.xml config file, together with a description of what that intent does, and when it would be used. Depending on the intent triggered, one of two Receivers would be called, in this instance they are called Boot or Time but the name is somewhat immaterial.

Table 4 HenBox variant's Intents and Receivers

Most of the intents registered in the AndroidManifest.xml file, or loaded during run-time, are commonly found in malicious Android apps. What’s more interesting, and much less common, is the inclusion of the com.xiaomi.smarthome.receive_alarm intent filter. Xiaomi, a privately owned Chinese electronics and software company, is the 5^th largest smart phone manufacturer in the world and also manufactures IoT devices for the home. Most devices can be controlled by Xiaomi’s “MiHome” Android app, which is available on Google Play with between 1,000,000 and 5,000,000 downloads.
Given the nature of connected devices in smart homes, it’s highly likely many of these devices, and indeed the controller app itself, communicate with one another sending status notifications, alerts and so on. Such notifications would be received by the MiHome app or any other, such as HenBox, so long as they register their intent to do so. This could essentially allow for external devices to act as a trigger to execute the malicious HenBox code, or perhaps afford additional data HenBox can collect and exfiltrate.
Either method to load HenBox ultimately results in an instance of a service being launched. This service hides the app from plain sight and loads another ELF library to gather environmental information about the device, such as running processes and apps, and details about device hardware, primarily through parsing system logs and querying running processes. The service continues by loading an ELF, created by Baidu, which is capable of tracking the device location before setting up a monitor to harvest phone numbers associated with outgoing calls for those numbers with a country code “+86” prefix, which relates to the People’s Republic of China.
Further assets are decrypted and deployed, including another Dalvik DEX code file, which has various capabilities including registering itself as the incoming SMS handler for the device to intercept SMS messages, loading another ELF library that includes a version of BusyBox - a package containing various stripped-down Unix tools useful for administering such systems – and, interestingly, is capable of turning off the sound played when the device’s cameras take pictures.
The Android permissions requested by HenBox, as defined in the apps’ AndroidManifest.xml files, range from accessing location and network settings to messages, call, and contact data. HenBox can also access sensors such as the device camera(s) and the microphone.
Beyond the Android app itself, other components such as the aforementioned ELF libraries have additional data-stealing capabilities. One ELF library, libloc4d.so, handles amongst other things the loading of the app-decoded ELF library file “sux”, as well as handling connectivity to the C2.
The sux library appears to be a customized super user (su) tool that includes code from the com.koushikdutta.superuser app and carries the equivalent of a super user (su) binary in order to run privileged commands on the system. The primary goal of sux appears to be steal messages and other data from popular messaging and social media apps specified within the HenBox sample. A similar tool, with the same filename, has been discussed in previous research but the SpyDealer malware appears unrelated to HenBox. More likely, this is a case of common attack tools being re-used between different threat actor groups.
This particular HenBox variant, as listed in Table 3 above, harvests data from two popular messaging and social media apps: Voxer Walkie Talkie Messenger (com.rebelvox.voxer) and Tencent’s WeChat (com.tencent.mm). These types of apps tend to store their data in databases and, as an example, HenBox accesses Voxer’s database from the file “/data/data/com.rebelvox.voxer/databases/rv.db”. Once opened, HenBox runs the following query to gather message information.

Not long after this variant was public, newer variants of HenBox were seen, and some had significant increases in the number of targeted apps. Table 5 describes the latest variant seen in AutoFocus.

Table 5 Recent HenBox variant with updated functionality

Table 6 contains an updated list of targeted apps from which this newer variant of HenBox is capable of harvesting data. Interestingly, the two communication apps described above as being targeted by the HenBox variant listed in Table 3 do not appear in this updated list.

Table 6 Targeted apps from a newer HenBox variant

Most of these apps are well established and available on Google Play, however, com.skype.rover appears to be available only on third-party app stores. The same is likely to be the case for com.pugna.magiccall but this is unknown currently.
It’s clear to see that the capabilities of HenBox are very comprehensive, both in terms of an Android app with its native libraries and given the amount of data it can glean from a victim. Such data includes contact and location information, phone and message activity, the ability to record from the microphone, camera, and other sensors as well as the capability to access data from many popular messaging and social media apps.

Infrastructure
While investigating HenBox we discovered infrastructure ties to other malware families associated with targeted attacks against Windows users – notable overlaps included PlugX, Zupdax, 9002, and Poison Ivy. The overall image of these ties is below in Figure 5 and paints a picture of an adversary with at least 5 malware families in their toolbox dating back to at least 2015.

Figure 5. HenBox and related malware and C2s

The overlap between the HenBox and 9002 malware families Unit 42 has seen involves three shared C2s between several samples; the first IP below is used for more than half of the HenBox samples we have seen to date:

• 47.90.81[.]23
• 222.139.212[.]16
• lala513.gicp[.]net

The overlaps between the Henbox, PlugX, Zupdax, and Poison Ivy malware families involves a web of shared C2s and IP resolutions centered around the below:

• 59.188.196[.]172
• cdncool[.]com (and third-levels of this domain)
• www3.mefound[.]com
• www5.zyns[.]com
• w3.changeip[.]org

Ties to previous activity
The registrant of cdncool[.]com also registered six other domains. To date, Unit 42 has seen four of the seven (the first three in the list below, along with cdncool[.]com) used in malicious activity and it is reasonable to assume the remaining three are or were intended to serve the same purpose.

• tcpdo[.]net
• adminsysteminfo[.]com
• md5c[.]net
• linkdatax[.]com
• csip6[.]biz
• adminloader[.]com

Unit 42 published a blog in July 2016 about 9002 malware being delivered using a combination of shortened links and a file hosted on Google Drive. The spear phishing emails had Myanmar political-themed lures and, if the 9002 C2 server responded, the Trojan sent system specific information along with the string “jackhex”. “jackhex” has also been part of a C2 for what is likely related Poison Ivy activity detailed below, along with additional infrastructure ties.
The C2 for the aforementioned 9002 sample was logitechwkgame[.]com, which resolved to the IP address 222.239.91[.]30. At the same time, the domain admin.nslookupdns[.]com also resolved to the same IP address, suggesting that these two domains are associated with the same threat actors. In addition, admin.nslookupdns[.]com was a C2 for Poison Ivy samples associated with attacks on Myanmar and other Asian countries discussed in a blog published by Arbor Networks in April 2016. Another tie between the activity is the C2 jackhex.md5c[.]net, which was also used as a Poison Ivy C2 in the Arbor Networks blog. “jackhex” is not a common word or phrase and, as noted above, was also seen in the beacon activity with the previously discussed 9002 sample. Finally, since publishing the 9002 blog, Unit 42 has also seen the aforementioned 9002 C2 used as a Poison Ivy C2 with a Myanmar political-themed lure.
In our 9002 blog we noted some additional infrastructure used either as C2s for related Poison Ivy samples, or domain registrant overlap with those C2 domains. When we published that blog Unit 42 hadn’t seen any of the three registrants overlap domains used in malicious activity. Since then, we have seen Poison Ivy samples using third-levels of querlyurl[.]com, lending further credence the remaining two domains, gooledriveservice[.]com and appupdatemoremagic[.]com are or were intended for malicious use.  While we do not have complete targeting, information associated with these Poison Ivy samples, several of the decoy files were in Chinese and appear to be part of a 2016 campaign targeting organizations in Taiwan with political-themed lures.

Conclusion
Typically masquerading as legitimate Android system apps, and sometimes embedding legitimate apps within them, the primary goal of the malicious HenBox appears to be to spy on those who install them. Using similar traits, such as copycat iconography and app or package names, victims are likely socially engineered into installing the malicious apps, especially when available on so-called third-party (i.e. non-Google Play) app stores which often have fewer security and vetting procedures for the apps they host. It’s possible, as with other Android malware, that some apps may also be available on forums, file-sharing sites or even sent to victims as email attachments, and we were only able to determine the delivery mechanism for a handful of the apps we have been able to find.
The hosting locations seen for some HenBox samples, together with the nature of some embedded apps including: those targeted at extremist groups, those who use VPN or other privacy-enabling apps, and those who speak the Uyghur language, highlights the victim profile the threat actors were seeking to attack. The targets and capabilities of HenBox, in addition to the ties to previous activity using four different Windows malware families with political-themed lures against several different South East Asian countries, indicates this activity likely represents an at least three-year-old espionage campaign.

Palo Alto Networks customers are protected by:
AutoFocus customers can investigate this activity using the following tag. To date we believe HenBox is not a shared tool, however, the remainder of malware used by these attackers is shared amongst multiple groups:

• HenBox
• Poison Ivy
• Zupdax
• 9002
• PlugX

Android Hygiene
Update: Keep installed apps updated. Much like patching Operating System and application files on PCs, Android and apps developed for the platform also receive security updates from Google and app developers to remove vulnerabilities and improve features, including security.
Review: App permissions to see what the app is potentially capable of. This can be quite technical, but many permissions are named intuitively describing if they intend to access contacts, messages, or sensors, such as the device microphone or camera. If you the permission seem over the top compared to the described functionality, then don’t install. Also read the app and developer reviews to evaluate their trustworthiness.
Avoid: Third-party app stores that may host pirated versions of paid apps from the Google Play app store, often such apps include unwanted extra features that can access your sensitive data or perform malicious behaviors. Also avoid rooting devices, if possible, as apps could misuse this power.

IOCs
Most recent samples first:

Poison Ivy
d3d5a43a2a4f054d41acf6d5f5c1d4d87c7027d880172c3167eaa19f99db43db
dfcff48fb7ad43940c46430a4cd28d52564ea9b6e40a23ff4324da919a5fb783
12759f7fd01ffdea97954be5404d7e43a3941a7388129e7b6ace85f56b500cd8
26c0349af2b5ffebd01d86eff16a0158bb3ceba9ecb04a0c0bd442bc5736328d
ac8fc264c7ec3cf70836e1bb21f9a20174b04ad49731b8797d7d8bb95cb353e2
3d714e1c02c4baf37008fb2537b02c0c1f524fa49263f3400f97f9ef12f2c907
58246d040c79c2a75729511f09b09ae709fbfbaa0bad6e72751a586f7b37ec5e
c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb
98f16b65b8acd4610077edd92dcb090e3d97f427dbb621827096071ed333b7b4
7cdd37ef4a45afa1b85c87f2a778cf8a7482f7beeee5178856d2f4acfa841135
c9be192a5acfc3b416dbd3fa800fa63851b3440d4187961978b33cef21aeaaeb
14e2e6bbcc68650bfd7c1eb374401eb606c7417dfae7bebb4bf86909e2ff524d
6a5998faa2be7d8b44f23cd5e02c9e3fa4a22bdba32e4663780aa035bddef239
b45e4ac7a790a7c6364cd93e371e548756f621028380c850059954340c0f13dc
b82785a6d488798c43f9dba0dd3f6cf8a4b03b308203452f641456dde09bedd8 

PlugX
45c64508382f41056bed1a6d95927225791fe8fcd8ee9a9a133968b93c19e39f

9002
b2966c2702285d2cad851bae72fe22136d7975a2a50b43a855447703146c63f0
1b168603010e5179d001f78e47176296776938dde2351ca2250f2977eff043d0
C11b963e2df167766e32b14fb05fd71409092092db93b310a953e1d0e9ec9bc3

Zupdax
ce0a078d12698cfca9c4a00dcb6cb2425956538f271e6a151a0e646677ed4ae9
ffc3f886d142c5df35b8eb1c2aee77e553a74657b6054e596e8347b4f0c0975e

Domains and IPs
60.191.57[.]35
47.90.81[.]23
222.139.212[.]16
59.188.196[.]172
222.239.91[.]30
work.andphocen[.]com
andphocen[.]com
w3.ezua[.]com
lala513.gicp[.]net
logitechwkgame[.]com
www5.zyns[.]com
www3.mefound[.]com
w3.changeip[.]org
admin.nslookupdns[.]com
cdncool[.]com
dns.cdncool[.]com
tcpdo[.]net
3w.tcpdo[.]net
md5c[.]net
jackhex.md5c[.]net
up.outhmail[.]com
outhmail[.]com
queryurl[.]com
update.queryurl[.]com
re.queryurl[.]com
mail.queryurl[.]com
adminsysteminfo[.]com
info.adminsysteminfo[.]com