Pro-India APT Group Deploys Android SpywareSunBird and HornBill Malicious Apps Mainly Target Users in South Asia
Researchers at the San Franciso-based security firm Lookout have identified two new Android spyware tools used for cyberespionage campaigns in South Asia which they say are linked to "Confucius," a pro-India advanced persistent threat group
Confucius, active since 2013, mainly targets victims in Pakistan and other parts of South Asia, Lookout says.
The spyware tools, SunBird and Hornbill, have been deployed as malicious Android apps. The malware is designed to exfiltrate SMS, encrypted messaging app content, geolocation data and other sensitive information from Android devices.
The malware, which has been active since December, has targeted personnel linked to Pakistan’s military and nuclear authorities as well as Indian election officials in Kashmir.
SunBird and HornBill are disguised as legitimate chat applications, such as Fruit Chat, Cucu Chat and Kako Chat, Lookout researchers say. Once the malicious apps are downloaded from app stores, they exfiltrate call logs, contacts, contact details, unique mobile identification number, geolocation and images on the victims' phones and access WhatsApp contents.
SunBird, which is a remote access Trojan, has been designed with additional capabilities. These include the ability to exfiltrate information about the installed apps, steal browser history and run arbitrary commands with root privileges. The malware then communicates with the APT group's command-and-control infrastructure at regular intervals to exfiltrate data, the report adds.
The APT group uses HornBill as a passive reconnaissance tool, and it can only exfiltrate limited data, the researchers say.
"SunBird is a fully-featured remote access Trojan that is able to carry out attacker commands on an infected device," says Kristin Del Rosso, senior security intelligence engineer at Lookout. "On the other hand, Hornbill goes to great lengths not to be detected by a user and is specifically interested in documents stored on a device’s external storage that have the following suffixes: ".doc", ".pdf", ".ppt", ".docx", ".xlsx", ".txt.""
Links to Confucious
The researchers note they were able to link the two spyware tools to Confucius because their infrastructures are similar to that of ChatSpy, spyware that the APT group has been using since since 2017.
"Malicious functionality present in SunBird and Hornbill is believed to be derived from commercial surveillanceware developed in India," says Apurva Kumar, staff security intelligence engineer at Lookout. "In the case of Hornbill specifically, links between its developers indicate they all appear to have worked together at a number of Android and iOS app development companies registered and operating in or near Chandigarh, Punjab, India. In 2017, one developer claimed to be working at India’s Defense Research and Development Organization on its LinkedIn profile.
Last month, security firm Uptycs found the APT group was deploying a new RAT called Warzone through decoy documents.
In a 2017 report, security firm Palo Alto said Confucius was using custom documents designed to exploit vulnerabilities in InPage to deliver malware. Page is a word processor program that supports languages such as Urdu, Persian, Pashto, and Arabic.