Researchers at mobile security firm Lookout have published information on two recently discovered Android spyware families employed by an advanced persistent threat (APT) group named Confucius.
Active since 2013, this pro-India threat actor has been mainly focused on Pakistani and other South Asian targets, primarily with the help of desktop malware. For the past several years, however, it also switched to mobile malware, with the first Android surveillanceware ChatSpy being observed in 2018.
In a new report, Lookout revealed that the threat actor might have started using Android spyware in 2017, with SunBird, which has been masquerading as applications mostly targeting Muslim individuals.
Supposedly developed between 2016 and 2019, SunBird features remote access Trojan (RAT) capabilities, allowing attackers to execute commands on the infected devices. Hornbill, on the other hand, which has been around since May 2018 (and continues to be active), is a discreet surveillance tool meant to steal data.
Both malware families can target a broad range of data for exfiltration, including call logs, contacts, device metadata (such as phone numbers, IMEI/Android IDs, device model, manufacturer), Android version, geolocation, images from external storage, and WhatsApp voice notes.
On the infected devices, both request device administrator privileges, capture screenshots, take photos with the device camera, record audio and calls, and scrape WhatsApp messages, contacts, and notifications, via accessibility services.
Additionally, SunBird can exfiltrate a list of installed applications, browser history, calendar information, BlackBerry Messenger (BBM) audio files, documents and images, WhatsApp audio files, documents, databases, voice notes and images, and IMO (instant messaging application) content.
Furthermore, the malware can download content from FTP shares and run arbitrary commands, and attempts to upload all data to the attackers’ command and control (C&C) servers at regular intervals.
Hornbill uploads data at initial execution and then only uploads changes to that data, when they occur. The malware closely monitors the use of resources on the infected device, collects hardware information, and logs location data if the location changes by approximately 70 meters, and monitors external storage for “.doc”, “.pdf”, “.ppt”, “.docx”, “.xlsx”, and “.txt” documents.
“The operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services,” Lookout explains.
Notable SunBird targets include an individual who applied for a position at the Pakistan Atomic Energy Commission, people with contacts in the Pakistan Air Force (PAF), and Booth Level Officers in the Pulwama district of Kashmir (officers responsible for electoral rolls).
SunBird is likely the work of the Indian developers who also built the BuzzOut commercial spyware. Based on victimology, which includes Pakistani nationals traveling to the UAE and India, the malware clearly has roots in stalkerware, Lookout says.
Hornbill’s code, the researchers say, appears derived from the commercial surveillanceware MobileSpy, but it is unclear how the code base was acquired. Retina-X Studios, the company behind MobileSpy, shut down in May 2018, after two successful hack attempts.
Lookout identified a total of 156 victims from India, Pakistan, and Kazakhstan, and was able to link the malware families to the Confucius APT through the use of specific infrastructure and similar tactics for hiding the malware’s intent.
Related: iOS Spyware Emerges in Longstanding Extortion Campaign
Related: Syrian Hackers Target Mobile Users With COVID-19 Lures
Related: Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools