Another day, another Android spyware – This time, according to researchers there are two spyware targeting sensitive infrastructure in Pakistan on behalf of India.
Lookout Discovered State-Sponsored Hacking Campaigns
Cybersecurity firm Lookout’s threat intelligence team discovered two novel malware strains, which they dubbed SunBird and Hornbill. Both the strains are forms of Android spyware and linked to a pro-India advanced persistent threat (APT) group called Confucius.
Hornbill is MobileSpy-based spyware, which is a commercial stalkerware app used for remotely monitoring Android devices. However, the app was deactivated in 2018. On the other hand, SunBird’s codebase is similar to BuzzOut, which is another spyware developed in India.
Confucius Targeting Southeast Asian Countries
This group is believed to be state-sponsored, which was first discovered in 2013 and has mainly targeted Southeast Asian countries so far, including Pakistan. It is now targeting targeted Pakistani military personnel and nuclear agencies along with Indian election officials in Kashmir.
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan. According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted,” Lookout researchers noted.
Malware Records WhatsApp Conversations
Lookout Staff Security Intelligence Engineer, Apurva Kumar, wrote in a blog post that the malware compromises WhatsApp conversations. Both Hornbill and SunBird abuse Android accessibility services to exfiltrate WhatsApp conversations without needing a jailbroken device or root access.
The spyware employs different tactics to conduct espionage. Hornbill serves as a ‘discreet surveillance tool’ that steals selective data. SunBird has all the functionalities found in a remote access trojan (RAT). It performs remote hijacking of the device and deploys additional malware.
Malicious Apps Distributing Spyware
The malware is distributed via mobile apps hosted on third-party platforms. These apps are offered as software packages of local news aggregators, sports software, Islam-related apps, and a fake Google Security Framework. It becomes apparent that the main target of the malware is the Muslim population.
What Kind of Data is a Risk?
According to Lookout’s analysis, both malware variants steal similar kinds of data, including device identifiers, WhatsApp voice notes, call logs, contact lists, and GPS data. These can request administrator privileges, capture screenshots, and photos, and record audio not only when calls are taking place but also as environmental noise.
SunBird can also collect browser history, calendar information, WhatsApp documents, images, databases, and BlackBerry Messenger content and uploads the stolen data to a C2 server more regularly than Hornbill.