S0544: HenBox
Analyst context for executives and security teams
HenBox matters because it represents Android malware with device and environment selectivity: MITRE notes it attempts to run only on Xiaomi devices using MIUI and has been reported as primarily targeting Uyghurs. For security leaders, the practical issue is not only malware removal; it is whether mobile security, privacy, and incident response programs can see malicious Android behavior that may hide from generic analysis, download code after installation, collect sensitive personal data, and abuse device sensors such as microphone, camera, and location.
Executive priority
Prioritize this as a mobile risk and privacy-readiness validation item where Android devices, Xiaomi/MIUI devices, bring-your-own-device programs, or high-risk user populations are in scope. Leadership should ask whether the organization can inventory mobile platforms, assess app permissions, preserve mobile evidence during incidents, and demonstrate controls over access to contacts, SMS, call logs, location, audio, video, and local files. Because no official MITRE detection text is provided, confidence should come from local telemetry validation rather than assumptions about existing EDR or MDM coverage.
Technical view
HenBox is an Android malware object associated through ATT&CK relationships with obfuscation, runtime code download, software/process/system discovery, native API use, Unix shell execution, broadcast receiver persistence, system checks, masquerading by legitimate-looking names or locations, and collection from local data, call logs, contacts, SMS, audio, video, and location. SOC and IR teams should validate whether mobile telemetry can expose suspicious app permissions, dynamic code loading, broadcast receiver registration, native library use, shell command execution, device/OS checks, installed app and process enumeration, and access to sensitive Android content providers or sensors. Xiaomi/MIUI device visibility should be specifically checked where those devices exist.
Likely telemetry
- Android device and OS inventory, including manufacturer/model and MIUI presence where available
- Mobile app inventory, package names, app labels/icons, install source, version, and signing/certificate metadata
- Android manifest permissions, especially microphone, camera, location, contacts, SMS, call log, storage, and background location permissions
- Runtime behavioral telemetry for dynamic code download or execution after installation
- Network telemetry from mobile devices or mobile security tooling showing app-initiated downloads or command-and-control-like communications
Detection direction
- Validate coverage on Android specifically; do not assume desktop-focused EDR or network controls will see this behavior.
- Use the relationship context to build behavioral detections around combinations: device/MIUI checks plus obfuscation, runtime code loading, sensitive permission use, and collection behavior are more meaningful than a single permission request alone.
- Tune for false positives from legitimate apps that request contacts, location, camera, microphone, or background services; prioritize apps with suspicious naming/location mimicry, unusual install source, excessive permissions, dynamic code download, or unexpected shell/native execution.
- Check whether sandboxing and malware analysis workflows account for system checks and execution guardrails, since behavior may vary by device model, OS, or analysis environment.
- For IR, ensure mobile acquisition procedures preserve app packages, manifests, native libraries, downloaded payloads, relevant logs, network indicators, and sensitive data access artifacts where legally and technically permissible.
Mitigation priorities
- Maintain accurate mobile asset inventory and identify whether Android, Xiaomi, or MIUI devices are in scope for corporate access or BYOD programs.
- Apply mobile device management or equivalent policy controls to restrict untrusted app installation, enforce OS/app update posture, and review high-risk permissions.
- Use app vetting and mobile threat defense processes that evaluate dynamic code loading, obfuscation, native code, broadcast receivers, masquerading, and sensitive data access rather than relying only on static reputation.
- Limit business data exposure from mobile devices through least privilege, conditional access, and separation of corporate data from personal apps where feasible.
- Prepare mobile incident response playbooks for privacy-sensitive collection scenarios involving contacts, SMS, call logs, audio, video, location, and local files.
Analyst notes and limits
The supplied ATT&CK object identifies HenBox as Android malware and states that it attempts to execute only on Xiaomi MIUI devices, with reporting that it has primarily targeted Uyghurs. The relationship set is rich and indicates a broad mobile behavior profile: evasion, discovery, execution, persistence, collection, and sensor/content-provider access. Defensive value comes from validating mobile visibility across those behaviors and from confirming whether high-risk device populations are actually represented in logs and management tooling.
MITRE provides no official detection text for this object, no tactics in the supplied fields, and no aliases or labels. This take does not assert current activity, attribution, customer exposure, or guaranteed detection. Local device inventory, mobile telemetry, app samples, legal constraints, and incident evidence are required to determine relevance and coverage in a specific environment.
HenBox
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.002 | Call Log Sub-technique | HenBox has collected all outgoing phone numbers that start with “86”.CitationPalo Alto HenBox |
| Mobile | T1636.004 | SMS Messages Sub-technique | HenBox can intercept SMS messages.CitationPalo Alto HenBox |
| Mobile | T1633.001 | System Checks Sub-technique | HenBox can detect if the app is running on an emulator.CitationPalo Alto HenBox |
| Mobile | T1623.001 | Unix Shell Sub-technique | HenBox can run commands as root.CitationPalo Alto HenBox |
| Mobile | T1575 | Native API | HenBox has contained native libraries.CitationPalo Alto HenBox |
| Mobile | T1418 | Software Discovery | HenBox can obtain a list of running apps.CitationPalo Alto HenBox |
| Mobile | T1406 | Obfuscated Files or Information | HenBox has obfuscated components using XOR, ZIP with a single-byte key or ZIP/Zlib compression wrapped with RC4 encryption.CitationPalo Alto HenBox |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | HenBox has registered several broadcast receivers.CitationPalo Alto HenBox |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | HenBox has masqueraded as VPN and Android system apps.CitationPalo Alto HenBox |
| Mobile | T1429 | Audio Capture | HenBox can access the device’s microphone.CitationPalo Alto HenBox |
| Mobile | T1533 | Data from Local System | HenBox can steal data from various sources, including chat, communication, and social media apps.CitationPalo Alto HenBox |
| Mobile | T1426 | System Information Discovery | HenBox can collect device information and can check if the device is running MIUI on a Xiaomi device.CitationPalo Alto HenBox |
| Mobile | T1424 | Process Discovery | HenBox can obtain a list of running processes.CitationPalo Alto HenBox |
| Mobile | T1512 | Video Capture | HenBox can access the device’s camera.CitationPalo Alto HenBox |
| Mobile | T1430 | Location Tracking | HenBox can track the device’s location.CitationPalo Alto HenBox |
| Mobile | T1636.003 | Contact List Sub-technique | HenBox can access the device’s contact list.CitationPalo Alto HenBox |
| Mobile | T1407 | Download New Code at Runtime | HenBox can load additional Dalvik code while running.CitationPalo Alto HenBox |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f8ecce6c5f63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto HenBox
A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
Open source URL -
[2]
mitre-attack S0544Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.