Two new Android surveillance families were found targeting military, nuclear and electoral entities in Pakistan and Kashmir as part of a state-sponsored, pro-India hacking campaign.
Called Hornbill and Sunbird, the malicious software mimics legitimate or seemingly innocuous services to cover its tracks, only to collect SMS, encrypted messaging app content, and geolocation, among other types of sensitive information .
The findings published by Lookout are the result of an analysis of 18GB of unfiltered data that has been publicly exposed by at least six insecurely configured command and control (C2) servers in India.
“Some notable targets included a person who applied for a post in the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) in the area Pulwama from Kashmir, ”the researchers said in an analysis on Wednesday.
In total, the attacks targeted 156 victims with phone numbers from India, Pakistan, and Kazakhstan over the past few years.
Lookout attributed both tools to an advanced persistent threat (APT) tracked as Confucius, a group known for its attacks on South Asian countries at least since 2013. The cybersecurity company called Hornbill is a “passive reconnaissance tool. “
While Hornbill seems to derive the same code base as a commercial surveillance product formerly known as MobileSpy, SunBird has been traced to a group of Indian developers behind another mobile tracking software called BuzzOut. Clues revealed by the Lookout also point out that Hornbill operators have worked together at various Android and iOS app development companies that are registered and operating in or near the Indian city of Chandigarh.
Both spyware are equipped to summarize a wide range of data, such as call logs, contacts, system information, location, photos stored on external drives, audio and video recording, capturing screenshots specific on spoofing WhatsApp messages and voice notes by abusing Android accessibility APIs.
SunBird also differs from Hornbill in that the first includes Remote Access Trojan (RAT) functionality, allowing the attackers to execute arbitrary commands on the target device. Additionally, it can exfiltrating browser histories, calendar information, and even siphoning content from BlackBerry Messenger and IMO instant messaging apps.
“Samples of SunBird were found hosted on third-party app stores, identifying one possible distribution mechanism,” the researchers detailed. “Given that many of these malicious software samples are trojanized – as they include complete user functionality – social engineering can also play a role in convincing targets to install the malicious software.”
Lookout identified Hornbill samples as recently as December 2020, indicating active use of the malicious software since their discovery in 2018. On the other hand, Sunbird appears to have been actively used in 2018 and 2019, before for the threat actor to move to another Android. a spyware product called ChatSpy last year.
Interestingly, the C2 infrastructure shared by Hornbill and SunBird reveals further links to other china operations carried out by the Confucius group – including a publicly accessible Pakistani government 2018 advisory alert for a malicious desktop software campaign which targets government officials and personnel – suggesting that the two instruments used by the same actor are for different surveillance purposes.
While India has been a relatively new entrant in the spyware and surveillance sector, Citizen Lab researchers in June last year excluded a mercenary hacking-for-hire group based in Delhi called BellTroX InfoTech which aimed to steal testimonials from journalists, advocacy groups, investment firms, and a variety of other high-profile targets.