HenBox is an Android spyware discovered by Unit 42 researchers at Palo Alto Networks, which has ties to other malware including PlugX, Zupdax, 9002, and Poison Ivy. The threat actors behind the malware target entities involved is politics in South East Asia. The malware disguises itself as a variety of legitimate Android apps such as VPNs and other system apps and, when installed on a device, steals personal information including chats, communications, information from social media apps, and device location. In addition, HenBox can access the device's camera and microphone and collect outgoing phone numbers. Victims are tricked into downloading these apps form third-party app stores due to their similarities to legitimate apps, such as the app or package name.


  • April 2018: Additional information and detailed analysis of HenBox and its apps. (Palo Alto Networks)

Technical Details

  • Palo Alto Networks provides technical analysis of HenBox, here.