Connect with us

Hi, what are you looking for?



Newly Discovered Android Spyware Linked to State-Sponsored Indian Hackers

Researchers at mobile security firm Lookout have published information on two recently discovered Android spyware families employed by an advanced persistent threat (APT) group named Confucius.

Researchers at mobile security firm Lookout have published information on two recently discovered Android spyware families employed by an advanced persistent threat (APT) group named Confucius.

Active since 2013, this pro-India threat actor has been mainly focused on Pakistani and other South Asian targets, primarily with the help of desktop malware. For the past several years, however, it also switched to mobile malware, with the first Android surveillanceware ChatSpy being observed in 2018.

In a new report, Lookout revealed that the threat actor might have started using Android spyware in 2017, with SunBird, which has been masquerading as applications mostly targeting Muslim individuals.

Supposedly developed between 2016 and 2019, SunBird features remote access Trojan (RAT) capabilities, allowing attackers to execute commands on the infected devices. Hornbill, on the other hand, which has been around since May 2018 (and continues to be active), is a discreet surveillance tool meant to steal data.

Both malware families can target a broad range of data for exfiltration, including call logs, contacts, device metadata (such as phone numbers, IMEI/Android IDs, device model, manufacturer), Android version, geolocation, images from external storage, and WhatsApp voice notes.

On the infected devices, both request device administrator privileges, capture screenshots, take photos with the device camera, record audio and calls, and scrape WhatsApp messages, contacts, and notifications, via accessibility services.

Additionally, SunBird can exfiltrate a list of installed applications, browser history, calendar information, BlackBerry Messenger (BBM) audio files, documents and images, WhatsApp audio files, documents, databases, voice notes and images, and IMO (instant messaging application) content.

Advertisement. Scroll to continue reading.

Furthermore, the malware can download content from FTP shares and run arbitrary commands, and attempts to upload all data to the attackers’ command and control (C&C) servers at regular intervals.

Hornbill uploads data at initial execution and then only uploads changes to that data, when they occur. The malware closely monitors the use of resources on the infected device, collects hardware information, and logs location data if the location changes by approximately 70 meters, and monitors external storage for “.doc”, “.pdf”, “.ppt”, “.docx”, “.xlsx”, and “.txt” documents.

“The operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services,” Lookout explains.

Notable SunBird targets include an individual who applied for a position at the Pakistan Atomic Energy Commission, people with contacts in the Pakistan Air Force (PAF), and Booth Level Officers in the Pulwama district of Kashmir (officers responsible for electoral rolls).

SunBird is likely the work of the Indian developers who also built the BuzzOut commercial spyware. Based on victimology, which includes Pakistani nationals traveling to the UAE and India, the malware clearly has roots in stalkerware, Lookout says.

Hornbill’s code, the researchers say, appears derived from the commercial surveillanceware MobileSpy, but it is unclear how the code base was acquired. Retina-X Studios, the company behind MobileSpy, shut down in May 2018, after two successful hack attempts.

Lookout identified a total of 156 victims from India, Pakistan, and Kazakhstan, and was able to link the malware families to the Confucius APT through the use of specific infrastructure and similar tactics for hiding the malware’s intent.

Related: iOS Spyware Emerges in Longstanding Extortion Campaign

Related: Syrian Hackers Target Mobile Users With COVID-19 Lures

Related: Chinese Hackers Target Uyghurs With Multiple Android Surveillance Tools

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.