Researchers at Fireye have discovered six variants of Android malware family( Android.HeHe) that disguises itself as a security app, and intercepts the incoming texts and calls of victims.
As per Fireeye “The app disguises itself as “android security” , attempting to provide the users what is advertised as an OS Update. It contacts the command-and-control (CnC) server to register itself then goes on to monitor incoming SMS messages. The CnC is expected to respond with a list of phone numbers that are of interest to the malware author. If one of these numbers sends an SMS or makes a call to an infected device, the malware intercepts the message or call, suppresses device notifications from the device, and removes any trace of the message or call from device logs. Any SMS messages from one of these numbers are logged into an internal database and sent to the CnC server. Any phone calls from these numbers are silenced and rejected.“
HeHe malware also collects such as international mobile subscriber identity (IMSI) data, International Mobile Station Equipment Identity [IMEI] numbers, and phone numbers , and sends then information to the attacker-operated server.
The author told SCMagazine that free app is most likely infecting users via third party app marketplaces or through SMS spam.“The possible sources are that you get a link to download the app as an SMS spam message, or from forums where all of these third party apps are advertised,” Dharmdasani said
Full analysis of the malware app can be found at Fireeye