Pierluigi Paganini February 11, 2021

Lookout researchers provided details about two Android spyware families employed by an APT group tracked as Confucius.

Researchers at mobile security firm Lookout have provided details about two recently discovered Android spyware families, dubbed Hornbill and SunBird, used by an APT group named Confucius.

Confucius is a pro-India APT group that has been active since 2013, it mainly focused on Pakistani and other South Asian targets. Since 2018, the hackers started targeting mobile users with an Android surveillance malware ChatSpy.

The two malware were used to spy on personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir.

“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device.” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”

Both malware can exfiltrate a wide range of data, including Call logs, Contacts, Device metadata (i.e. phone number, IMEI/Android ID, Model and Manufacturer, and Android version), Geolocation, Images stored on external storage, WhatsApp voice notes, if installed.

The two malware also perform multiple malicious activities such as:

• Request device administrator privileges
• Take screenshots, capturing whatever a victim is currently viewing on their device
• Take photos with the device camera
• Record environment and call audio
• Scrape WhatsApp messages and contacts via accessibility services
• Scrape WhatsApp notifications via accessibility services

SunBird is more advanced than Hornbill, it stores gathered in SQLite databases at regular intervals before uploading it to C2 servers in the form of compressed ZIP files.

The malware can download content from FTP shares and run arbitrary commands as root.

Hornbill only targets a limited set of data, it uploads data when it initially runs and only when changes are observed.

The malware monitors the use of certain resources on the infected device, gathers hardware information, logs location data, and monitors external storage for “.doc”, “.pdf”, “.ppt”, “.docx”, “.xlsx”, and “.txt” documents.

Experts pointed out that the operators behind the Hornbill malware are extremely interested in a user’s WhatsApp communications, it also records WhatsApp calls by detecting an active call by abusing Android’s accessibility services.

“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes.” concludes the report.

If you want to receive the weekly Security Affairs Newsletter for free subscribe here.

Pierluigi Paganini

(SecurityAffairs – hacking, Confucius)

[adrotate banner=”5″]

[adrotate banner=”13″]