Android spyware strains linked to state-sponsored Confucius threat group

Hornbill and SunBird are being used to stalk and steal the data of Pakistani nationals.

Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. 

On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.  

According to the cybersecurity firm, the APT can be reasonably linked to Hornbill and SunBird, two forms of Android spyware. Specifically, the malware appears to be focused on compromising the Whatsapp messaging platform and exfiltrating the content of conversations. 

The team's analysis of the malware suggests that Hornbill is based on MobileSpy, a commercial stalkerware app for remotely monitoring Android devices that was retired in 2018. SunBird, however, appears to have a similar codebase to BuzzOut, an old form of spyware developed in India.

Confucius was known to have used ChatSpy for surveillance purposes back in 2017, but it is thought that SunBird predates this malware. There doesn't appear to be any new campaigns utilizing SunBird, believed to have been in active development between 2016 and early 2019; however, Hornbill has been found in a wave of attacks dating from December 2020. 

Apurva Kumar, Lookout Staff Security Intelligence Engineer, says that both forms of spyware abuse Android accessibility services to plunder Whatsapp for information and exfiltrate content without the need for root access or a jailbroken device. 

Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake "Google Security Framework," local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population. 

Hornbill and SunBird have different approaches to spying. Hornbill is described as a "discreet surveillance tool" designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking. 

Both malware variants, however, can steal data including device identifiers, call logs, WhatsApp voice notes, contact lists, and GPS location information. In addition, they can request administrator privileges on a compromised device, take screenshots and photos, and record audio both when calls are taking place or just as environmental noise. 

SunBird's capabilities go beyond Hornbill's as this malware is also able to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and images. SunBird will also try to upload stolen data to a command-and-control (C2) server at more regular intervals than Hornbill. 

However, Hornbill is able to detect and record active WhatsApp calls by abusing Android accessibility functions. 

"The leverage of Android's accessibility services in this manner is a trend we are observing frequently in Android surveillanceware, avoiding the need for privilege escalation on a device," the researchers say. 

Previous and related coverage


Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0