Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir.
The two malware families, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content and geolocation, as well as other types of sensitive information.
Researchers first saw Hornbill as early as May 2018, with newer samples of the malware emerging on December 2020. They said the first Sunbird sample dates back to 2017 and was last seen active on December 2019.
“Hornbill and SunBird have both similarities and differences in the way they operate on an infected device,” said Apurva Kumar, staff security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird features remote access trojan (RAT) functionality – a malware that can execute commands on an infected device as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of data of interest to its operator.”
Malware Attack Targeting Military, Nuclear, Election Entities
The malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors).
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted.”
For instance, attackers targeted an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force, as well as officers responsible for electoral rolls located in the Pulwama district of Kashmir.
In regards to the initial attack vectors for the malware samples, researchers pointed to samples of SunBird found hosted on third-party app stores, providing a clue for one possible distribution mechanism. However, researchers have not yet found SunBird on the official Google Play marketplace.
SunBird has been disguised as applications such as security services (including a fictional “Google Security Framework”), apps tied to specific locations (like “Kashmir News”) or activities (“including “Falconry Connect” or “Mania Soccer”). Researchers said the majority of these applications appear to target Muslim individuals. Meanwhile, Hornbill applications impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and system applications.
“Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware,” said Kumar and Del Rosso. “No use of exploits was observed directly by Lookout researchers.”
Malware Cybersecurity Surveillance Capabilities
Both malware families have a wide range of data exfiltration capabilities. They are able to collect call logs, contacts, device metadata (such as phone numbers, models, manufacturers and Android operating system version), geolocation, images stored on external storage and WhatsApp voice notes.
In addition, both families can request device administrator privileges, take screenshots of whatever victims are currently viewing on their devices, take photos with the device camera, record environment and call audio and scrape WhatsApp message and contacts and WhatsApp notifications (via the Android accessibility service feature).
SunBird has a more extensive set of malicious functionalities than Hornbill, with the ability to upload all data at regular intervals to its C2 servers. For instance, SunBird can also collect a list of installed applications on the victims’ devices, browser history, calendar information, WhatsApp Audio files, documents, databases and images and more. And, it can run arbitrary commands as root or download attacker-specified content from FTP shares.
“In contrast, Hornbill is more of a passive reconnaissance tool than SunBird,” said Kumar and Del Rosso. “Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low.”
Researchers named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh in India, where they believe the developers of Hornbill are located. SunBird’s name, meanwhile, stemmed from the malicious services within the malware called “SunService” – and the sunbird is also native to India, they said.
State-Sponsored APT Behind The Cyberattack
The malware families have been linked “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene since 2013 as a state-sponsored, pro-India actor. The APT has previously targeted victims in Pakistan and South Asia.
“We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes,” said Kumar and Del Rosso.
Threatpost WEBINAR: Is your small- to medium-sized business an easy mark for attackers? Save your spot for “15 Cybersecurity Gaffes SMBs Make,” a FREE Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you making these mistakes, but our experts will help you lock down your small- to mid-sized business like it was a Fortune 100. Register NOW for this LIVE webinar on Wed., Feb. 24.