Researchers Spotted Two Android Spyware Linked to Confucius


Researchers at cybersecurity firm Lookout have published information on two recently discovered Android spyware families utilized by an advanced persistent threat (APT) group named Confucius. Lookout said that two malware strains, named Hornbill and SunBird, have been linked to Confucius, a group thought to be state-sponsored and to have pro-India ties. 

First detected in 2013, Confucius has been linked to assaults against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies. “Hornbill and SunBird have both similarities and differences in the way they operate on an infected device” reads the report published by Lookout. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.” 

The team's analysis of the malware recommends that Hornbill is based on MobileSpy, a commercial stalker ware application for remotely observing Android gadgets that were retired in 2018. SunBird, however, seems to have a comparable codebase to BuzzOut, an old type of spyware created in India. Confucius was known to have utilized ChatSpy for surveillance purposes back in 2017, yet it is felt that both Hornbill and SunBird originated before this malware. There doesn't appear to be any new campaigns utilizing SunBird–accepted to have been in active development between 2016 and early 2019; in any case, Hornbill has been found in a rush of assaults dating from December 2020. 

Both malware variations, however, can steal information including gadget identifiers, call logs, WhatsApp voice notes, contact records, and GPS location information. Also, they can request administrator privileges on an undermined gadget, take screenshots and photographs, and record sound both when calls are taking place or just as environmental noise. SunBird's abilities go past Hornbill's as this malware is likewise ready to grab browser histories, calendar information, BlackBerry Messenger (BBM) content, and more extensive WhatsApp content including documents, databases, and pictures. SunBird will likewise attempt to upload stolen information to a command-and-control (C2) server at more normal spans than Hornbill.