February 10, 2021

Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict

Vector representation of the philosopher Confucius.

The Lookout Threat Intelligence team has discovered two novel Android surveillanceware – Hornbill and SunBird. We believe with high confidence that these surveillance tools are used by the advanced persistent threat group (APT) Confucius, which first appeared in 2013 as a state-sponsored, pro-India actor primarily pursuing Pakistani and other South Asian targets.1 2

While primarily known for desktop malware, the Confucius group was previously reported to have started leveraging mobile malware in 2017, with the Android surveillanceware ChatSpy.3 However, our discovery of SunBird and Hornbill shows that Confucius may have been spying on mobile users up to a year before it started using ChatSpy.  

Targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir. Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.        


SunBird has been disguised as applications that include:

  • Security services, such as the fictional “Google Security Framework”
  • Apps tied to specific locations (“Kashmir News”) or activities (“Falconry Connect” and “Mania Soccer”)
  • Islam-related applications (“Quran Majeed”).

The majority of applications appear to target Muslim individuals.

Lookout named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh and where the developers of Hornbill are located. SunBird’s name was derived from the malicious services within the malware called “SunService” and the sunbird is also native to India.

Malicious functionality and impact of both SunBird and Hornbill

Hornbill and SunBird have both similarities and differences in the way they operate on an infected device. While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.

Both of the malware can exfiltrate a wide range of data, such as:

  • Call logs
  • Contacts
  • Device metadata including phone number, IMEI/Android ID, Model and Manufacturer and Android version
  • Geolocation
  • Images stored on external storage
  • WhatsApp voice notes, if installed

Both malware are also able to perform the following actions on device:

  • Request device administrator privileges
  • Take screenshots, capturing whatever a victim is currently viewing on their device
  • Take photos with the device camera
  • Record environment and call audio
  • Scrape WhatsApp messages and contacts via accessibility services
  • Scrape WhatsApp notifications via accessibility services

SunBird-specific functionality

SunBird has a more extensive set of malicious capabilities than Hornbill. It attempts to upload all data it has access to at regular intervals to its command and control (C2) servers. Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure.

SunBird can exfiltrate the following list of data, in addition to the list above:

  • List of installed applications
  • Browser history
  • Calendar information
  • BlackBerry Messenger (BBM) audio files, documents and images
  • WhatsApp Audio files, documents, databases, voice notes and images
  • Content sent and received via IMO instant messaging application

In addition to the list of actions above, SunBird can also perform the following actions:

  • Download attacker specified content from FTP shares
  • Run arbitrary commands as root, if possible
  • Scrape BBM messages and contacts via accessibility services
  • Scrape BBM notifications via accessibility services

Samples of SunBird have been found hosted on third-party app stores, indicating one possible distribution mechanism. Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware. No use of exploits was observed directly by Lookout researchers.

Hornbill-specific functionality

In contrast, Hornbill is more of a passive reconnaissance tool than SunBird. Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low. The upload occurs when data monitored by Hornbill changes, such as when SMS, or WhatsApp notifications are received or calls are made from the device.

Hornbill is keenly interested in the state of an infected device and closely monitors the use of resources. For example, if the device is low on memory, it triggers the garbage collector. In addition to the list of exfiltrated data mentioned earlier, Hornbill also collects hardware information. For example, the malware can check if a device’s screen is locked, the amount of available internal and external storage and whether WiFi and GPS are enabled.

Hornbill only logs location information if it deems the changes to be significant enough from the previously recorded location – if the difference between the corresponding latitudes and longitudes differ by more than 0.0006 which is roughly 70 metres.

Data collected by Hornbill is stored in hidden folders on external storage. Once call recordings or audio recordings are uploaded to C2 infrastructure they are deleted from the device to avoid suspicion.

Location on External Storage Type of Data Collected
/sdcard/.system0/.ia Audio (environment) recordings
/sdcard/.system0/.cr Call recordings
/sdcard/.system0/.tempo Temporary location used for testing upload to C2 infrastructure
/sdcard/.system0/.is/.iss Screenshots
/sdcard/.system0/.is/.ifcc Front camera “clicks” (photos)
/sdcard/.system0/.is/.ircc Rear camera “clicks” (photos)

Hornbill uses a unique set of server paths to communicate to C2 infrastructure. These are listed below along with what action Hornbill takes when sending HTTP POST requests to each.

Unique Server Paths Action
/SignUp Registers either a Device ID or User ID with a hardcoded password for further data exfiltration
/UploadFile Uploads file
/SaveMessages Bulk saves messages
/SaveCallLogs Bulk saves call logs
/SaveContactDetails Bulk saves contacts
/SaveGpsDetails Bulk saves GPS location
/UpdateMobileState Saves directory structure
/UpdateMobileState Queries C2 for queued and removed commands

The operators behind Hornbill are extremely interested in a user’s WhatsApp communications. In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services. The exploitation of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware. This enables the threat actor to avoid the need for privilege escalation on a device.

Lastly, Hornbill searches for and monitors activity on any documents stored on external storage with the following suffixes: ".doc", ".pdf", ".ppt", ".docx", ".xlsx", ".txt". Whenever a document is created, opened, closed, modified, moved or deleted, this action is logged by Hornbill. Functionality exists to modify this list of suffixes, but is incomplete in the samples we have observed. The latest samples of Hornbill show that this malware threat may still be under development.

Development timelines

The newest Hornbill sample was identified by Lookout’s app analysis engine as recently as December 2020, suggesting the malware may still be active today. Both ChatSpy and Hornbill’s packaging dates appeared to have been tampered with, but we first observed them in January 2018 and May 2018 respectively.

Lookout first observed SunBird in January 2017, but unlike the other two malware families, the packaging dates appear legitimate, indicating the malware was likely in development between December 2016 and early 2019.

Hornbill, which Lookout first saw in May 2018, is actively deployed. We observed new samples as recently as December 2020. The first SunBird sample was seen as early as 2017 and as late as December 2019.


To better understand who SunBird may have been deployed against, we analyzed over 18GB of exfiltrated data that was publicly exposed from at least six insecurely configured C2 servers. All data uploaded to the C2 infrastructure included the locale of the infected devices. This information, combined with the data content, gave us extensive insight into who was being targeted by this malware family and the kind of information the attackers were after.

Some notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir.

Based on the locale and country code information of infected devices and exfiltrated content, we think SunBird may have roots as a commercial Android surveillanceware. The data included information on victims in Europe and the United States, some of which appear to be targets of spouseware or stalkerware. It also included data on Pakistani nationals in Pakistan, India and the United Arab Emirates that we believe may be targeted by Confucius APT campaigns between 2018 and 2019.

Malware development and commercial surveillance roots

Both Hornbill and SunBird appear to be evolved versions of commercial Android surveillance tooling. Hornbill seems to be derived from the same code base as a previously active commercial surveillanceware product known as MobileSpy. 5 It is unclear how the developers of Hornbill acquired the code, but the company behind MobileSpy, Retina-X Studios, shut down their surveillance software products in May 2018 after being hacked twice. 6 Links between the Hornbill developers indicate they all appear to have worked together at a number of Android and iOS app development companies registered and operating in or near Chandigarh, Punjab, India. In 2017, one developer claimed to be working at India’s Defence Research and Development Organisation (DRDO) on their LinkedIn profile.

SunBird looks to have been created by Indian developers who also produced another commercial spyware product, which we dubbed BuzzOut. 7 The theory that SunBird’s roots lay in stalkerware was also supported by the content found in the exfiltrated data we uncovered. The data included information on stalkerware victims, as well as Pakistani nationals living in Pakistan and traveling in the UAE and India. This data suggests that SunBird could have been sold to an actor that selectively deployed it to gather intelligence on targeted individuals. Similar behavior was observed with Stealth Mango and Tangelo, two nation state mobile surveillanceware Lookout researchers discovered in 2018. 8

Exfiltrated data

During this investigation, we were able to access exfiltrated data for SunBird whose C2 infrastructure had been insufficiently secured.

This is a breakdown of types of data SunBird exfiltrated. This data is from publicly-accessible exfiltrated content exposed on SunBird C2 servers for 5 campaigns between 2018 and 2019. We found another 12 GB of data exfiltrated on another C2 server 23.82.19[.]250. The default language of this server was set up as Chinese when discovered by Lookout researchers. This may be a false flag or may have been altered by a third party. This also makes it difficult to confirm if all of the data originated from infections of actual target devices.

Frequency of infected devices’ locale and country code settings (translated to languages and countries) as packaged within publicly-accessible exfiltrated data. This data includes both the Confucius APT targets and spouseware victims of SunBird.

Left:One particular SunBird C2 server was found to also be exposing a log file containing IP addresses of those that logged into the administrator panel. The majority of these were distributed throughout India. Right: Geo-location data captured from a publicly-exposed database found on another Sunbird C2 IP 23.82.19[.]250. Almost all data stored on this server referenced phone numbers of various locations in northern India. The second most common region for phone numbers was Pakistan.

Within the exfiltrated data, one particular victim caught our interest. This individual was using WhatsApp to correspond with someone applying for a position at the Pakistan Nuclear Regulatory Authority in 2017. In 2018, messages were uncovered from someone applying for a position at the Pakistan Atomic Energy Commission.9

Additional exfiltrated data from late 2018 and early 2019 indicated that SunBird was being used to monitor Booth Level Officers10 responsible for field-level information regarding electoral rolls in the Pulwama district of Kashmir. This time and location is significant as Pulwama suffered a suicide bombing attack in February 2019, which increased tensions between India and Pakistan. The start date of active monitoring of this target on C2 servers coincided with the start of the Indian general elections held in April 2019.

Continuous data exfiltration data that occurred every ten minutes stopped at the end of 2018. Aside from one brief upload in January 2019, it suddenly picked up again on the 11th of April 2019. While this may be coincidence, this is also the same day that the Indian general elections of 2019 began.12

A total of 156 victims were discovered in this new dataset and included phone numbers from India, Pakistan and Kazakhstan.

Confucius connection

Hornbill application icons impersonate various chat and system applications.

Similar to previous Confucius tactics seen with ChatSpy, Hornbill samples often impersonate chat applications such as Fruit Chat, Cucu Chat and Kako Chat. The related C2 infrastructure communicates on port 8080, a pattern also seen on the desktop campaigns carried out by Confucius.14

The Confucius group is well known for impersonating legitimate services to cover their tracks and confuse its victims. Naming malicious apps similar to legitimate ones may be an attempt to gain a target’s trust. For example, “kako chat” may have been named due to its similarity to KakaoTalk.15 However, Kako Chat’s C2 server (chatk.goldenbirdcoin[.]com) references a defunct cryptocurrency by the same name.16 Cucu Chat may refer to a seemingly benign dating app of the same name that is available on third-party app stores such as APKPure.17, 18 However, Cucu Chat communicates to the site http://wangu[.]xyz19 (also on port 8080) and itself appears to be an impersonation of Wangu, an application which advertises itself as a chat app for Zimbabweans.20 The latest sample of Hornbill titled “Filos” trojanizes the Mesibo21 Android application for legitimate chat functionality.

During our investigation, we noticed that Hornbill C2 infrastructure hosted HTML resources consistent with a commercial spyware page, but missing its image resources.

C2 servers for Hornbill were found to host HTML content from a commercial spyware.


   Additionally, Hornbill carries out data exfiltration via the following unique set of server paths:

We found that the patterns noted above also existed on another domain samaatv[.]online. Although Lookout has not directly observed an APK communicating to this domain, we think one likely exists. samaatv[.]online has resolved to the IP address 91.210.107[.]104 since May 2019, which encompasses the activity of this campaign.

In addition to this, we found the SunBird C2 domain pieupdate[.]online resolved to in between February 2019 and July 2019. This is also the timeframe in which we observed active campaigns by SunBird on that infrastructure.

With the help of public reporting and Lookout’s dataset, we are confident that the Confucius APT group is actively using the IPs between 91.210.107[.]103-91.210.107[.]112 to host a large portion of their infrastructure, both presently and in the past.

Additional open-source intelligence (OSINT) searches confirmed the above connections. We found a publicly-accessible 2018 Pakistani government advisory warning of a desktop malware campaign targeting officers and government staff. The campaign described in it used phishing emails that impersonated various government agencies to deliver malicious Microsoft Word exploits. The Indicators of Compromise (IOCs) for this campaign included domains that were known Confucius infrastructure, leading us to believe the entire campaign could be attributed to that group.          


Official Report from Pakistan’s Federal Bureau of Revenue on Malicious Activity.

A particular point of interest on the advisory IoC list, and crucial in confirming Confucius connections, was pieupdate[.]online, a C2 server for malicious desktop activity as well as SunBird mobile malware.

Hornbill malware has unique file paths with which to communicate with C2 servers. They also display a unique Spyware HTML page. Lookout researchers uncovered another domain, samaatv[.]online, which shares the same unique file paths and Spyware HTML page found on a Hornbill C2 server, cucuchat[.]com. It is tied to known Confucius infrastructure by resolving to 91.210.107[.]104, in the Confucius IP range.

We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes.

To the best of our knowledge the apps described in this article were never distributed through Google Play. Users of Lookout security apps are protected from these threats.

Lookout Threat Advisory Services customers have already been notified with additional intelligence on this and other threats. Take a look at our Threat Advisory Services page to learn more.


The information provided in this report is based upon discovery tools and methods which are inherently imperfect and though it is our belief the information in this report is accurate at the time of its publishing the information is provided “as is” with all faults, and Lookout Inc., assumes no liability for its accuracy or completeness, or one's use or reliance upon the information contained therein.

SHA-1 Hashes









































Command and control infrastructure















Apurva Kumar

Former Security Intelligence Engineer

Apurva Kumar was a Security Intelligence Engineer at Lookout between 2017 and 2021.

Kristin Del Rosso

Security Research Engineer

Kristin Del Rosso is a security researcher with a primary focus on reverse engineering Android applications. She works with her team to uncover new mobile threats, track actors and targets, and provide accurate research and reporting on these issues. She has spoken at BlackHat EU and NSEC on state-sponsored malware campaigns, and volunteers with Day of Shecurity, an organization aimed at tackling the gender diversity issue in cybersecurity.

Entry Type
In-Depth Analysis
Discovered By
Platform(s) Affected
Threat Type
Threat Type
Platform(s) Affected
In-Depth Analysis

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.