Researchers at mobile security firm Lookout have published information on two recently discovered Android spyware families employed by an advanced persistent threat (APT) group named Confucius.
Active since 2013, this pro-India threat actor has been mainly focused on Pakistani and other South Asian targets, primarily with the help of desktop malware. For the past several years, however, it also switched to mobile malware, with the first Android surveillanceware ChatSpy being observed in 2018.
In a new report, Lookout revealed that the threat actor might have started using Android spyware in 2017, with SunBird, which has been masquerading as applications mostly targeting Muslim individuals.
Supposedly developed between 2016 and 2019, SunBird features remote access Trojan (RAT) capabilities, allowing attackers to execute commands on the infected devices. Hornbill, on the other hand, which has been around since May 2018 (and continues to be active), is a discreet surveillance tool meant to steal data.
Both malware families can target a broad range of data for exfiltration, including call logs, contacts, device metadata (such as phone numbers, IMEI/Android IDs, device model, manufacturer), Android version, geolocation, images from external storage, and WhatsApp voice notes.
On the infected devices, both request device administrator privileges, capture screenshots, take photos with the device camera, record audio and calls, and scrape WhatsApp messages, contacts, and notifications, via accessibility services.
Additionally, SunBird can exfiltrate a list of installed applications, browser history, calendar information, BlackBerry Messenger (BBM) audio files, documents and images, WhatsApp audio files, documents, databases, voice notes and images, and IMO (instant messaging application) content.
Furthermore, the malware can download content from FTP shares and run arbitrary commands, and attempts to upload all data to the attackers’ command and co ..
Support the originator by clicking the read the rest link below.
