US-based cyber security company Lookout reported that two malware programs on an Android-based platform that emerged in India, called Hornbill and SunBird, have been spying on the Pakistani military, nuclear authorities, and Indian election officials in Kashmir.
According to Lookout, the two malwares have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. As per the report, the malware was mainly used to compromise the Whatsapp messages and exfiltrating the content of conversations. Lookout said: “Targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir.”
“Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information,” it added. Confucius has been well known to attack against South Asian states. It was first detected in 2013. Although Confucius has created Windows malware in the past, the group has extended its capabilities to mobile malware since 2017 when the spying app ChatSpy came into existence.
The apps used by the group contain advanced capabilities, including taking photos from the camera, requesting elevated privileges, access to users’ call logs, contacts, images, browser history and scraping WhatsApp messages, as well as being able to upload all information to the servers of the APT group. While SunBird has a remote access function that can execute commands on a device by an attacker, Hornbill is a surveillance tool that can extract data from users.
“SunBird has been disguised as applications that include security services, such as the fictional ‘Google Security Framework’, Apps tied to specific locations (Kashmir News) or activities (Falconry Connect and Mania Soccer), Islam-related applications (Quran Majeed),” Lookout’s report said, adding that the majority of applications appeared to target Muslims.
The company’s analysis has also found that some major targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir.
Lookout researchers, Apurva Kumar and Kristin Del Rosso, said that the apps associated with SunBird have a more extensive set of capabilities than Hornbill and keep running their data exfiltration sequence at regular intervals. “Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure,” Kumar and Rosso added.
According to Lookout’s researchers, in contrast with SunBird, Hornbill is more of a passive reconnaissance tool. Not only does Hornbill target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals – this is where it differs from SunBird. “After that, it only uploads changes in data to keep mobile data and battery usage low. The upload occurs when data monitored by Hornbill changes, such as when SMS, or WhatsApp notifications are received or calls are made from the device,” Lookout’s report said.
“Hornbill is keenly interested in the state of an infected device and closely monitors the use of resources. In addition to the exfiltrated data, Hornbill also collects hardware information. For example, the malware can check if a device’s screen is locked, the amount of available internal and external storage and whether WiFi and GPS are enabled,” it added.
The researchers mentioned that none of these apps were distributed via Google Play or any authorised app store. Mobile users are advised to download apps only from official app stores in order to avoid risky websites providing bootleg Android APKs and iOS Apps.