Lookout, Inc., provider of mobile security solutions, announced the discovery of two novel Android surveillanceware, Hornbill and SunBird. The Lookout Threat Intelligence team believes these campaigns are connected to the Confucius APT, a well-known pro-India state-sponsored advanced persistent threat group. Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS message content, encrypted messaging app content, geolocation, contact information, call logs, as well as file and directory listings. The surveillanceware targets personnel linked to Pakistan’s military and nuclear authorities and Indian election officials in Kashmir.

The Confucius group was previously reported to have first leveraged mobile malware in 2017 with ChatSpy^[1]. However, based on this new discovery, Lookout researchers found that Confucius may have been spying on mobile users for up to a year prior to ChatSpy with SunBird. SunBird campaigns were first detected by Lookout researchers in 2017 but no longer seem to be active. The APT’s latest malware, Hornbill, is still actively in use and Lookout researchers have observed new samples as recently as December 2020.      

“One characteristic of Hornbill and SunBird that stands out is their intense focus on exfiltrating a target's communications via WhatsApp,” said Apurva Kumar, Staff Security Intelligence Engineer at Lookout. “In both cases, the surveillanceware abused the Android accessibility services in a variety of ways to exfiltrate communications without the need for root access. SunBird can also record calls made through WhatsApp’s VoIP service, exfiltrate data on applications such as BlackBerry Messenger and imo, as well as execute attacker-specified commands on an infected device.”

Both Hornbill and SunBird appear to be evolved versions of commercial Android surveillance tooling. Hornbill was likely derived from the same code base as an earlier commercial surveillance product known as MobileSpy. Meanwhile, SunBird can be linked back to the Indian developers responsible for BuzzOut, an older commercial spyware tool. The Lookout researchers' theory that SunBird’s roots also lay in stalkerware is supported by content found in the exfiltrated data that they uncovered on the malware’s infrastructure in 2018. The data uncovered includes information about the stalkerware victims and campaigns targeting Pakistani nationals in their home country as well as those traveling abroad in the United Arab Emirates (UAE) and India.

To learn more about Hornbill and SunBird, read the Lookout blog or visit Lookout Threat Advisory Services.