Android spyware strains linked to state-sponsored Confucius threat group


Level 73
Content Creator
Malware Hunter
Aug 17, 2014
Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered.

On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties.

First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.

According to the cybersecurity firm, the APT can be reasonably linked to Hornbill and SunBird, two forms of Android spyware. Specifically, the malware appears to be focused on compromising the Whatsapp messaging platform and exfiltrating the content of conversations. [...]
Hornbill and SunBird have different approaches to spying. Hornbill is described as a "discreet surveillance tool" designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking.

Both malware variants, however, can steal data including device identifiers, call logs, WhatsApp voice notes, contact lists, and GPS location information. In addition, they can request administrator privileges on a compromised device, take screenshots and photos, and record audio both when calls are taking place or just as environmental noise.

SunBird's capabilities go beyond Hornbill's as this malware is also able to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and images. SunBird will also try to upload stolen data to a command-and-control (C2) server at more regular intervals than Hornbill. However, Hornbill is able to detect and record active WhatsApp calls by abusing Android accessibility functions.