Android spyware are found to be linked up to state sponsored Confucius APT

Lookout, a cybersecurity firm, on Tuesday, said , dubbed Hornbill and SunBird have been delivered as fake Android apps by Confucius  advanced persistent threat group (APT), since 2013.

The APT is thought be from a state-sponsored and have pro-India ties. It has been linked to attacks against Southeast Asian government entities and targeted against Pakistani military professional, Indian election officials and nuclear agencies.

The detected apps are used by the group to take photos from camera, request elevated privileges, scrap whatsapp messages.

According to lookout researchers, Apurva Kumar and Kristin Del Rosso, apps that are associated with SunBird have more extensive capabilities thatn Hornbil.

“Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure,” the researchers said.

Following are the counterfeit applications published by the group to espionage their operations:

  • “Google Security Framework,”
  • “Kashmir News”,
  • “Falconry Connect”,
  • “Mania Soccer”
  • And “Quran Majeed”

The Data that can be gathered SunBird:

  • List of apps installed,
  • Browser history,
  • Information about calendar,
  • BBM audio files and documents and images ,
  • Audios, images and voice notes of Whatsapp,
  • Content from IMO messaging application

SunBird’s powered apps can perform the following actions:

  • Download suspicious content through FTP shares,
  • Run arbitrary commands as root,
  • Scrape BBM messages, contacts, and notifications

Falconry Connect is one such apps powered by SunBird. This malicious file exists within the APK under the mysterious location – com.falconry.sun.SunServices. The misleading in it is the use of “Sun” in both namespace and directory names so that it can ward off an analyst who thinks that these folders are associated with Sum Microsystems from Java programming language.

This app can ex-filtrate user data to C2 server sunshinereal.000webhostapp[.]com to make periodic calls to different PHPs. This domain isn’t spelled out correctly within the code. Also, the source code had the reference to access to “/DCIM/Camera” folder.

The Hornbill strains are more passive in nature, as per the Lookout. It states, the strain has been using as recon tools, consuming minimal of resources and battery power.

However, the Hornbill is found to be more interested in monitoring the users’ whatsapp activity.

“In addition to exfiltrating message content and sender information of messages, Hornbill records WhatsApp calls by detecting an active call by abusing Android’s accessibility services,” said the researchers at Lookout.

“The exploitation of Android’s accessibility services in this manner is a trend we are observing frequently in Android surveillanceware. This enables the threat actor to avoid the need for privilege escalation on a device,” the researchers added this.