Security investigators from Lookout Discovered by two variations of an Android spyware that has been linked to hacking campaigns supported by the India.

The two variants, called Hornbill and SunBird, have been linked to the State hacking Confucius Group, believed to be funded by India.

Confucius was first spotted in 2013 and is said to have carried out attacks against government agencies in Southeast Asia, etc.

According to the security firm, the hacking group appears to be linked to the two new variants of the spyware. The specific Android spyware appears to be focused on hacking the Whatsapp application and in theft of the conversations of users.

The analysis shows that Hornbill is based on MobileSpy, a stalkerware app that allowed remote monitoring of devices Android. SunBird, on the other hand, seems to have a similar codebase to BuzzOut, an old form of spyware developed in India.

Confucius had used in 2017 the ChatSpybut it is believed that both Hornbill and SunBird were used by the group before this malware. Experts believe that SunBird was active from 2016 to early 2019. However, Hornbill was also found in attacks during December 2020.

Lookout researcher says both forms of spyware abuse Android's accessibility services to hack Whatsapp and steal information and conversations without the need for root access or jailbroken device.

The applications containing the spyware appear to hosted outside of Google Play

and offered as software packages (π.χ. το ψεύτικο “Google Security Framework”, τοπικά προγράμματα ειδήσεων, Applications related to Islam and sports applications). According to Lookout researchers, most of these Applications seems to target the Muslim population.

The analyses showed that Hornbill and SunBird spy the objectives in a different way. The Hornbill περιγράφεται ως “διακριτικό εργαλείο παρακολούθησης” που έχει σχεδιαστεί για να steals specific data of interest to the operator. In contrast, the SunBird contains Remote Access Trojan (RAT) function and can be develop additional malware and operate the devices remotely.

However, both variants of Android spyware can be steal data, such as device IDs, call logs, WhatsApp voice notes, contact lists and location information. In addition, they can request administrator rights on a device, take screenshots and photos, and record calls and sounds from the environment.

SunBird is even more sophisticated than Hornbill. In addition to the above, it can track the history of the browser, calendar information, BlackBerry Messenger (BBM) content and other WhatsApp items, including documents, databases and images.

Source: zDNet