Android spyware strains linked to state-sponsored Confucius threat group

silversurfer

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Malware Hunter
Well-known
Aug 17, 2014
10,048
Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered.

On Tuesday, cybersecurity firm Lookout said that two malware strains, dubbed Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties.

First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.

According to the cybersecurity firm, the APT can be reasonably linked to Hornbill and SunBird, two forms of Android spyware. Specifically, the malware appears to be focused on compromising the Whatsapp messaging platform and exfiltrating the content of conversations. [...]
Hornbill and SunBird have different approaches to spying. Hornbill is described as a "discreet surveillance tool" designed to selectively steal data of interest to its operator, whereas SunBird contains Remote Access Trojan (RAT) functionality, permitting the additional deployment of malware and remote hijacking.

Both malware variants, however, can steal data including device identifiers, call logs, WhatsApp voice notes, contact lists, and GPS location information. In addition, they can request administrator privileges on a compromised device, take screenshots and photos, and record audio both when calls are taking place or just as environmental noise.

SunBird's capabilities go beyond Hornbill's as this malware is also able to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and images. SunBird will also try to upload stolen data to a command-and-control (C2) server at more regular intervals than Hornbill. However, Hornbill is able to detect and record active WhatsApp calls by abusing Android accessibility functions.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top