S0544: HenBox
Analyst context for executives and security teams
HenBox matters because it represents Android malware with device and environment selectivity: MITRE notes it attempts to run only on Xiaomi devices using MIUI and has been reported as primarily targeting Uyghurs. For security leaders, the practical issue is not only malware removal; it is whether mobile security, privacy, and incident response programs can see malicious Android behavior that may hide from generic analysis, download code after installation, collect sensitive personal data, and abuse device sensors such as microphone, camera, and location.
Executive priority
Prioritize this as a mobile risk and privacy-readiness validation item where Android devices, Xiaomi/MIUI devices, bring-your-own-device programs, or high-risk user populations are in scope. Leadership should ask whether the organization can inventory mobile platforms, assess app permissions, preserve mobile evidence during incidents, and demonstrate controls over access to contacts, SMS, call logs, location, audio, video, and local files. Because no official MITRE detection text is provided, confidence should come from local telemetry validation rather than assumptions about existing EDR or MDM coverage.
Technical view
HenBox is an Android malware object associated through ATT&CK relationships with obfuscation, runtime code download, software/process/system discovery, native API use, Unix shell execution, broadcast receiver persistence, system checks, masquerading by legitimate-looking names or locations, and collection from local data, call logs, contacts, SMS, audio, video, and location. SOC and IR teams should validate whether mobile telemetry can expose suspicious app permissions, dynamic code loading, broadcast receiver registration, native library use, shell command execution, device/OS checks, installed app and process enumeration, and access to sensitive Android content providers or sensors. Xiaomi/MIUI device visibility should be specifically checked where those devices exist.
Likely telemetry
- Android device and OS inventory, including manufacturer/model and MIUI presence where available
- Mobile app inventory, package names, app labels/icons, install source, version, and signing/certificate metadata
- Android manifest permissions, especially microphone, camera, location, contacts, SMS, call log, storage, and background location permissions
- Runtime behavioral telemetry for dynamic code download or execution after installation
- Network telemetry from mobile devices or mobile security tooling showing app-initiated downloads or command-and-control-like communications
Detection direction
- Validate coverage on Android specifically; do not assume desktop-focused EDR or network controls will see this behavior.
- Use the relationship context to build behavioral detections around combinations: device/MIUI checks plus obfuscation, runtime code loading, sensitive permission use, and collection behavior are more meaningful than a single permission request alone.
- Tune for false positives from legitimate apps that request contacts, location, camera, microphone, or background services; prioritize apps with suspicious naming/location mimicry, unusual install source, excessive permissions, dynamic code download, or unexpected shell/native execution.
- Check whether sandboxing and malware analysis workflows account for system checks and execution guardrails, since behavior may vary by device model, OS, or analysis environment.
- For IR, ensure mobile acquisition procedures preserve app packages, manifests, native libraries, downloaded payloads, relevant logs, network indicators, and sensitive data access artifacts where legally and technically permissible.
Mitigation priorities
- Maintain accurate mobile asset inventory and identify whether Android, Xiaomi, or MIUI devices are in scope for corporate access or BYOD programs.
- Apply mobile device management or equivalent policy controls to restrict untrusted app installation, enforce OS/app update posture, and review high-risk permissions.
- Use app vetting and mobile threat defense processes that evaluate dynamic code loading, obfuscation, native code, broadcast receivers, masquerading, and sensitive data access rather than relying only on static reputation.
- Limit business data exposure from mobile devices through least privilege, conditional access, and separation of corporate data from personal apps where feasible.
- Prepare mobile incident response playbooks for privacy-sensitive collection scenarios involving contacts, SMS, call logs, audio, video, location, and local files.
Analyst notes and limits
The supplied ATT&CK object identifies HenBox as Android malware and states that it attempts to execute only on Xiaomi MIUI devices, with reporting that it has primarily targeted Uyghurs. The relationship set is rich and indicates a broad mobile behavior profile: evasion, discovery, execution, persistence, collection, and sensor/content-provider access. Defensive value comes from validating mobile visibility across those behaviors and from confirming whether high-risk device populations are actually represented in logs and management tooling.
MITRE provides no official detection text for this object, no tactics in the supplied fields, and no aliases or labels. This take does not assert current activity, attribution, customer exposure, or guaranteed detection. Local device inventory, mobile telemetry, app samples, legal constraints, and incident evidence are required to determine relevance and coverage in a specific environment.
HenBox
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1636.002 | Call Log Sub-technique | |
| Mobile | T1636.004 | SMS Messages Sub-technique | |
| Mobile | T1633.001 | System Checks Sub-technique | |
| Mobile | T1623.001 | Unix Shell Sub-technique | |
| Mobile | T1575 | Native API | |
| Mobile | T1418 | Software Discovery | |
| Mobile | T1406 | Obfuscated Files or Information | |
| Mobile | T1624.001 | Broadcast Receivers Sub-technique | |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | |
| Mobile | T1429 | Audio Capture | |
| Mobile | T1533 | Data from Local System | |
| Mobile | T1426 | System Information Discovery | |
| Mobile | T1424 | Process Discovery | |
| Mobile | T1512 | Video Capture | |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1636.003 | Contact List Sub-technique | |
| Mobile | T1407 | Download New Code at Runtime |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f8ecce6c5f63… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto HenBox
A. Hinchliffe, M. Harbison, J. Miller-Osborn, et al. (2018, March 13). HenBox: The Chickens Come Home to Roost. Retrieved September 9, 2019.
Open source URL -
[2]
mitre-attack S0544Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.