The two malware families have innovative capabilities to exfiltrate SMS messages, WhatsApp messaging content and geolocation.
Researchers have uncovered two novel Android surveillanceware people remaining employed by an sophisticated persistent risk (APT) group to focus on armed service, nuclear and election entities in Pakistan and Kashmir.
The two malware people, which researchers call “Hornbill” and “SunBird,” have sophisticated capabilities to exfiltrate SMS messages, encrypted messaging app content material and geolocation, as very well as other sorts of delicate data.
Researchers 1st observed Hornbill as early as Might 2018, with more recent samples of the malware emerging on December 2020. They said the to start with Sunbird sample dates back again to 2017 and was past seen active on December 2019.
“Hornbill and SunBird have the two similarities and differences in the way they work on an infected product,” explained Apurva Kumar, workers security intelligence engineer, and Kristin Del Rosso, senior security intelligence researcher, with Lookout, on Thursday. “While SunBird options distant accessibility trojan (RAT) operation – a malware that can execute commands on an infected unit as directed by an attacker – Hornbill is a discreet surveillance tool used to extract a selected set of details of desire to its operator.”
Malware Attack Focusing on Navy, Nuclear, Election Entities
The malware strains ended up found in attacks concentrating on staff connected to Pakistan’s armed forces and numerous nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic team native to the disputed Kashmir Valley (and a prior focus on for other Android malware risk actors).
“While the precise selection of victims is not identified across all campaigns for SunBird and Hornbill, at least 156 victims ended up recognized in a single marketing campaign for Sunbird in 2019 and involved phone quantities from India, Pakistan, and Kazakhstan,” Kumar explained to Threatpost. “According to the publicly exposed exfiltrated facts we had been equipped to find, people in at the very least 14 unique nations around the world were focused.”
For instance, attackers specific an particular person who utilized for a posture at the Pakistan Atomic Power Commission, people with many contacts in the Pakistan Air Drive, as well as officers dependable for electoral rolls positioned in the Pulwama district of Kashmir.
Sunbird samples hosted on third-get together app retailers. Credit history: Lookout
In regards to the preliminary attack vectors for the malware samples, researchers pointed to samples of SunBird found hosted on third-social gathering app stores, furnishing a clue for one achievable distribution system. Nonetheless, scientists have not yet uncovered SunBird on the official Google Play market.
SunBird has been disguised as purposes these types of as security providers (like a fictional “Google Security Framework”), applications tied to distinct locations (like “Kashmir News”) or pursuits (“including “Falconry Connect” or “Mania Soccer”). Scientists explained the bulk of these purposes look to target Muslim folks. Meanwhile, Hornbill apps impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and technique purposes.
“Considering numerous of these malware samples are trojanized – as in they include comprehensive consumer functionality – social engineering may perhaps also perform a portion in convincing targets to install the malware,” explained Kumar and Del Rosso. “No use of exploits was noticed right by Lookout researchers.”
Malware Cybersecurity Surveillance Abilities
Both of those malware families have a large range of details exfiltration abilities. They are in a position to accumulate simply call logs, contacts, unit metadata (these as phone figures, products, makers and Android running system variation), geolocation, illustrations or photos stored on exterior storage and WhatsApp voice notes.
Credit rating: Lookout
In addition, each households can request product administrator privileges, choose screenshots of whatever victims are at this time viewing on their units, get shots with the system digital camera, report atmosphere and get in touch with audio and scrape WhatsApp message and contacts and WhatsApp notifications (by means of the Android accessibility assistance element).
SunBird has a additional in depth set of destructive functionalities than Hornbill, with the capacity to upload all information at typical intervals to its C2 servers. For instance, SunBird can also acquire a list of mounted applications on the victims’ units, browser history, calendar details, WhatsApp Audio data files, documents, databases and visuals and more. And, it can operate arbitrary instructions as root or download attacker-specified content from FTP shares.
“In distinction, Hornbill is much more of a passive reconnaissance software than SunBird,” stated Kumar and Del Rosso. “Not only does it concentrate on a restricted established of data, the malware only uploads data when it at first runs and not at regular intervals like SunBird. Right after that, it only uploads alterations in knowledge to hold cell facts and battery use small.”
Researchers named Hornbill immediately after the Indian Gray Hornbill, which is the point out fowl of Chandigarh in India, the place they consider the builders of Hornbill are found. SunBird’s identify, in the meantime, stemmed from the malicious expert services within the malware referred to as “SunService” – and the sunbird is also indigenous to India, they reported.
Point out-Sponsored APT Driving The Cyberattack
The malware households have been connected “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene given that 2013 as a condition-sponsored, pro-India actor. The APT has earlier focused victims in Pakistan and South Asia.
“We are confident SunBird and Hornbill are two equipment employed by the same actor, possibly for distinct surveillance uses,” claimed Kumar and Del Rosso.
Threatpost WEBINAR: Is your compact- to medium-sized company an straightforward mark for attackers? Save your location for “15 Cybersecurity Gaffes SMBs Make,” a Totally free Threatpost webinar on Feb. 24 at 2 p.m. ET. Cybercriminals count on you producing these blunders, but our experts will support you lock down your compact- to mid-sized small business like it was a Fortune 100. Sign-up NOW for this Live webinar on Wed., Feb. 24.