Skip to content

S0544 HenBox

HenBox is Android malware that attempts to only execute on Xiaomi devices running the MIUI operating system. HenBox has primarily been used to target Uyghurs, a minority Turkic ethnic group.1

Item Value
ID S0544
Associated Names
Version 1.0
Created 17 December 2020
Last Modified 12 April 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1429 Audio Capture HenBox can access the device’s microphone.1
mobile T1623 Command and Scripting Interpreter -
mobile T1623.001 Unix Shell HenBox can run commands as root.1
mobile T1533 Data from Local System HenBox can steal data from various sources, including chat, communication, and social media apps.1
mobile T1407 Download New Code at Runtime HenBox can load additional Dalvik code while running.1
mobile T1624 Event Triggered Execution -
mobile T1624.001 Broadcast Receivers HenBox has registered several broadcast receivers.1
mobile T1430 Location Tracking HenBox can track the device’s location.1
mobile T1575 Native API HenBox has contained native libraries.1
mobile T1406 Obfuscated Files or Information HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.1
mobile T1424 Process Discovery HenBox can obtain a list of running processes.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log HenBox has collected all outgoing phone numbers that start with “86”.1
mobile T1636.003 Contact List HenBox can access the device’s contact list.1
mobile T1636.004 SMS Messages HenBox can intercept SMS messages.1
mobile T1418 Software Discovery HenBox can obtain a list of running apps.1
mobile T1426 System Information Discovery HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.1
mobile T1512 Video Capture HenBox can access the device’s camera.1
mobile T1633 Virtualization/Sandbox Evasion -
mobile T1633.001 System Checks HenBox can detect if the app is running on an emulator.1