Lookout, a San Franciso-based security firm, recently reported that it has identified two new Android spyware tools designed for cyber espionage campaigns in South Asia. These tools were found linked to a pro-India advanced persistent threat group called Confucius.
According to Lookout, Confucius has been active since 2013 and mainly targets victims in Pakistan and other parts of South Asia.
Both the spyware tools, SunBird and Hornbill, have been camouflaged as legitimate chat applications, such as Fruit Chat, Cucu Chat, and Kako Chat for Android. They are designed to exfiltrate SMS, encrypted messaging app content, geolocation data, and other sensitive information from Android devices.
Lookout says, once the malicious apps are downloaded from third-party app stores, they exfiltrate call logs, contacts, contact details, unique Mobile identification numbers, geolocation, and images on the victims’ phones as well as WhatsApp contents.
Amongst the two, SunBird is a remote access Trojan that has additional capabilities to exfiltrate information about the installed apps, steal browser history and run arbitrary commands with root privileges.
The researchers explained,
SunBird is a fully-featured remote access Trojan that is able to carry out attacker commands on an infected device,” says Kristin Del Rosso, senior security intelligence engineer at Lookout. “On the other hand, Hornbill goes to great lengths not to be detected by a user and is specifically interested in documents stored on a device’s external storage that have the following suffixes: “.doc”, “.pdf”, “.ppt”, “.docx”, “.xlsx”, “.txt.”
Apurva Kumar, staff security intelligence engineer at Lookout detailed,
In the case of Hornbill specifically, links between its developers indicate they all appear to have worked together at a number of Android and iOS app development companies registered and operating in or near Chandigarh, Punjab, India. In 2017, one developer claimed to be working at India’s Defense Research and Development Organization on its LinkedIn profile. Malicious functionality present in SunBird and Hornbill is believed to be derived from commercial surveillance ware developed in India.
This malware has been active since December 2020 and has targeted personnel linked to Pakistan’s military and nuclear authorities as well as Indian election officials in Kashmir.