Two new Android survellanceware have been discovered by the Lookout Threat Intelligence Team. Named Hornbill and SubBird, these two campaigns are believed to be connected to the Confucius APT, a well-known pro-India state-sponsored advanced persistent threat group. Lookout’s researchers revealed the spyware specifically targeted personnel linked to Pakistan’s military and nuclear authorities and Indian election officials in Kashmir.
Hornbill and SunBird are both sophisticated and demonstrate unique spyware characteristics and capabilities. These include techniques used to exfiltrate SMS message content, encrypted messaging app content, geolocation, contact information, call logs, as well as file and directory listings.
“One characteristic of Hornbill and SunBird that stands out is their intense focus on exfiltrating a target’s communications via WhatsApp,” said Apurva Kumar, Staff Security Intelligence Engineer at Lookout.
“In both cases, the surveillanceware abused the Android accessibility services in a variety of ways to exfiltrate communications without the need for root access. SunBird can also record calls made through WhatsApp’s VoIP service, exfiltrate data on applications such as BlackBerry Messenger and imo, as well as execute attacker-specified commands on an infected device.”
After conducting research, Lookout researchers first detected SunBird campaigns back in 2017 but believe this is no longer active. However, the Hornbill spyware, is reportedly still actively in use and Lookout researchers have observed new samples as recently as December 2020. Upon further examination, both Hornbill and SunBird appear to be evolved versions of commercial Android surveillance tooling.
The Confucius group was previously reported to have first leveraged mobile malware in 2017 with ChatSpy. However, based on this new discovery, Lookout researchers found that Confucius may have been spying on mobile users for up to a year prior to ChatSpy with SunBird.
Mobile malware is becoming more prominent with hackers doing their utmost to extract sensitive information from devices.