The Lookout Threat Intelligence team has discovered two novel Android surveillanceware – Hornbill and SunBird. We believe with high confidence that these surveillance tools are used by the advanced persistent threat group (APT) Confucius, which first appeared in 2013 as a state-sponsored, pro-India actor primarily pursuing Pakistani and other South Asian targets.1 2
While primarily known for desktop malware, the Confucius group was previously reported to have started leveraging mobile malware in 2017, with the Android surveillanceware ChatSpy.3 However, our discovery of SunBird and Hornbill shows that Confucius may have been spying on mobile users up to a year before it started using ChatSpy.
Targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir. Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.
SunBird has been disguised as applications that include:
- Security services, such as the fictional “Google Security Framework”
- Apps tied to specific locations (“Kashmir News”) or activities (“Falconry Connect” and “Mania Soccer”)
- Islam-related applications (“Quran Majeed”).
The majority of applications appear to target Muslim individuals.
Lookout named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh and where the developers of Hornbill are located. SunBird’s name was derived from the malicious services within the malware called “SunService” and the sunbird is also native to India.
Malicious functionality and impact of both SunBird and Hornbill
Hornbill and SunBird have both similarities and differences in the way they operate on an infected device. While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.
Both of the malware can exfiltrate a wide range of data, such as:
- Call logs
- Device metadata including phone number, IMEI/Android ID, Model and Manufacturer and Android version
- Images stored on external storage
- WhatsApp voice notes, if installed
Both malware are also able to perform the following actions on device:
- Request device administrator privileges
- Take screenshots, capturing whatever a victim is currently viewing on their device
- Take photos with the device camera
- Record environment and call audio
- Scrape WhatsApp messages and contacts via accessibility services
- Scrape WhatsApp notifications via accessibility services
SunBird has a more extensive set of malicious capabilities than Hornbill. It attempts to upload all data it has access to at regular intervals to its command and control (C2) servers. Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure.
SunBird can exfiltrate the following list of data, in addition to the list above:
- List of installed applications
- Browser history
- Calendar information
- BlackBerry Messenger (BBM) audio files, documents and images
- WhatsApp Audio files, documents, databases, voice notes and images
- Content sent and received via IMO instant messaging application
In addition to the list of actions above, SunBird can also perform the following actions:
- Download attacker specified content from FTP shares
- Run arbitrary commands as root, if possible
- Scrape BBM messages and contacts via accessibility services
- Scrape BBM notifications via accessibility services
In contrast, Hornbill is more of a passive reconnaissance tool than SunBird. Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low. The upload occurs when data monitored by Hornbill changes, such as when SMS, or WhatsApp notifications are received or calls are made from the device.
Hornbill is keenly interested in the state of an infected device and closely monitors the use of resources. For example, if the device is low on memory, it triggers the garbage collector. In addition to the list of exfiltrated data mentioned earlier, Hornbill also collects hardware information. For example, the malware can check if a device’s screen is locked, the amount of available internal and external storage and whether WiFi and GPS are enabled.
Hornbill only logs location information if it deems the changes to be significant enough from the previously recorded location – if the difference between the corresponding latitudes and longitudes differ by more than 0.0006 which is roughly 70 metres.
Data collected by Hornbill is stored in hidden folders on external storage. Once call recordings or audio recordings are uploaded to C2 infrastructure they are deleted from the device to avoid suspicion.
Hornbill uses a unique set of server paths to communicate to C2 infrastructure. These are listed below along with what action Hornbill takes when sending HTTP POST requests to each.
The operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services. The exploitation of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware. This enables the threat actor to avoid the need for privilege escalation on a device.
Lastly, Hornbill searches for and monitors activity on any documents stored on external storage with the following suffixes: ".doc", ".pdf", ".ppt", ".docx", ".xlsx", ".txt". Whenever a document is created, opened, closed, modified, moved or deleted, this action is logged by Hornbill. Functionality exists to modify this list of suffixes, but is incomplete in the samples we have observed. The latest samples of Hornbill show that this malware threat may still be under development.
The newest Hornbill sample was identified by Lookout’s app analysis engine as recently as December 2020, suggesting the malware may still be active today. Both ChatSpy and Hornbill’s packaging dates appeared to have been tampered with, but we first observed them in January 2018 and May 2018 respectively.
Lookout first observed SunBird in January 2017, but unlike the other two malware families, the packaging dates appear legitimate, indicating the malware was likely in development between December 2016 and early 2019.
To better understand who SunBird may have been deployed against, we analyzed over 18GB of exfiltrated data that was publicly exposed from at least six insecurely configured C2 servers. All data uploaded to the C2 infrastructure included the locale of the infected devices. This information, combined with the data content, gave us extensive insight into who was being targeted by this malware family and the kind of information the attackers were after.
Some notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir.
Malware development and commercial surveillance roots
Both Hornbill and SunBird appear to be evolved versions of commercial Android surveillance tooling. Hornbill seems to be derived from the same code base as a previously active commercial surveillanceware product known as MobileSpy. 5 It is unclear how the developers of Hornbill acquired the code, but the company behind MobileSpy, Retina-X Studios, shut down their surveillance software products in May 2018 after being hacked twice. 6 Links between the Hornbill developers indicate they all appear to have worked together at a number of Android and iOS app development companies registered and operating in or near Chandigarh, Punjab, India. In 2017, one developer claimed to be working at India’s Defence Research and Development Organisation (DRDO) on their LinkedIn profile.
SunBird looks to have been created by Indian developers who also produced another commercial spyware product, which we dubbed BuzzOut. 7 The theory that SunBird’s roots lay in stalkerware was also supported by the content found in the exfiltrated data we uncovered. The data included information on stalkerware victims, as well as Pakistani nationals living in Pakistan and traveling in the UAE and India. This data suggests that SunBird could have been sold to an actor that selectively deployed it to gather intelligence on targeted individuals. Similar behavior was observed with Stealth Mango and Tangelo, two nation state mobile surveillanceware Lookout researchers discovered in 2018. 8
During this investigation, we were able to access exfiltrated data for SunBird whose C2 infrastructure had been insufficiently secured.
Within the exfiltrated data, one particular victim caught our interest. This individual was using WhatsApp to correspond with someone applying for a position at the Pakistan Nuclear Regulatory Authority in 2017. In 2018, messages were uncovered from someone applying for a position at the Pakistan Atomic Energy Commission.9
Additional exfiltrated data from late 2018 and early 2019 indicated that SunBird was being used to monitor Booth Level Officers10 responsible for field-level information regarding electoral rolls in the Pulwama district of Kashmir. This time and location is significant as Pulwama suffered a suicide bombing attack in February 2019, which increased tensions between India and Pakistan. The start date of active monitoring of this target on C2 servers coincided with the start of the Indian general elections held in April 2019.
A total of 156 victims were discovered in this new dataset and included phone numbers from India, Pakistan and Kazakhstan.
Similar to previous Confucius tactics seen with ChatSpy, Hornbill samples often impersonate chat applications such as Fruit Chat, Cucu Chat and Kako Chat. The related C2 infrastructure communicates on port 8080, a pattern also seen on the desktop campaigns carried out by Confucius.14
The Confucius group is well known for impersonating legitimate services to cover their tracks and confuse its victims. Naming malicious apps similar to legitimate ones may be an attempt to gain a target’s trust. For example, “kako chat” may have been named due to its similarity to KakaoTalk.15 However, Kako Chat’s C2 server (chatk.goldenbirdcoin[.]com) references a defunct cryptocurrency by the same name.16 Cucu Chat may refer to a seemingly benign dating app of the same name that is available on third-party app stores such as APKPure.17, 18 However, Cucu Chat communicates to the site http://wangu[.]xyz19 (also on port 8080) and itself appears to be an impersonation of Wangu, an application which advertises itself as a chat app for Zimbabweans.20 The latest sample of Hornbill titled “Filos” trojanizes the Mesibo21 Android application for legitimate chat functionality.
During our investigation, we noticed that Hornbill C2 infrastructure hosted HTML resources consistent with a commercial spyware page, but missing its image resources.
Additionally, Hornbill carries out data exfiltration via the following unique set of server paths:
We found that the patterns noted above also existed on another domain samaatv[.]online. Although Lookout has not directly observed an APK communicating to this domain, we think one likely exists. samaatv[.]online has resolved to the IP address 91.210.107[.]104 since May 2019, which encompasses the activity of this campaign.
In addition to this, we found the SunBird C2 domain pieupdate[.]online resolved to 220.127.116.11 in between February 2019 and July 2019. This is also the timeframe in which we observed active campaigns by SunBird on that infrastructure.
With the help of public reporting and Lookout’s dataset, we are confident that the Confucius APT group is actively using the IPs between 91.210.107[.]103-91.210.107[.]112 to host a large portion of their infrastructure, both presently and in the past.
Additional open-source intelligence (OSINT) searches confirmed the above connections. We found a publicly-accessible 2018 Pakistani government advisory warning of a desktop malware campaign targeting officers and government staff. The campaign described in it used phishing emails that impersonated various government agencies to deliver malicious Microsoft Word exploits. The Indicators of Compromise (IOCs) for this campaign included domains that were known Confucius infrastructure, leading us to believe the entire campaign could be attributed to that group.
A particular point of interest on the advisory IoC list, and crucial in confirming Confucius connections, was pieupdate[.]online, a C2 server for malicious desktop activity as well as SunBird mobile malware.
We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes.
To the best of our knowledge the apps described in this article were never distributed through Google Play. Users of Lookout security apps are protected from these threats.
Lookout Threat Advisory Services customers have already been notified with additional intelligence on this and other threats. Take a look at our Threat Advisory Services page to learn more.
The information provided in this report is based upon discovery tools and methods which are inherently imperfect and though it is our belief the information in this report is accurate at the time of its publishing the information is provided “as is” with all faults, and Lookout Inc., assumes no liability for its accuracy or completeness, or one's use or reliance upon the information contained therein.
Command and control infrastructure