An ongoing threatening attack campaign against Android users located in Pakistan has been uncovered by the infosec experts at the cybersecurity firm Lookout. According to their research, the current operation is deploying an Android spyware threat named Hornbill to compromised devices. The threat is delivered as part of mobile applications hosted on third-party platforms, outside of the official Google Play Store. The threatening applications are disguised as software packages that can assume the identity of 'Google Security Framework,' various sports-related applications, local news aggregators and Islam-focused applications. The vast majority of the fake applications appear to be designed to target Muslim users specifically.
Analysis of Hornbill revealed that the threat is most likely used the MobileSpy application, which was retired back in 2018 as a blueprint. MobileSpy was available for purchase, and was advertised as a tool for remote monitoring of Android devices. Hornbill, however, has been streamlined with the attackers focusing their attention on select data from the compromised device instead of attempting to grab as much info as possible. Indeed, Hornbill has been designed to mainly target WhatsApp and to access sensitive conversation data. Apart from WhatsApp, the threat also is capable of harvesting the device's identifies, call logs, GPS location and contact lists. Hornbill will try to obtain administrator privilege, and, if successful it can start taking arbitrary screenshots of the device's screen, photos, and audio recordings both during active calls and as a passive listening tool. By abusing the Android accessibility features, Hornbill is capable of detecting and recording active WhatsApp conversations.
Hornbill is Linked to the Pro-Indian APT Group Confucius
It is believed that the APT (Advanced Persistent Threat) group Confucius is responsible for the current campaign delivering Hornbill Malware. The hackers were first detected back in 2013 and have been active since then. While there are no concrete links, Confucius APT is more than likely a state-sponsored hacker collective with pro-Indian ties. So far they have been connected to attacks against Pakistani military individuals, nuclear agencies, and Indian election officials.
Among the threatening arsenal of the group are three distinct mobile monitoring malware threats. The first one to be detected was ChatSpy used as a surveillance tool back in 2017. Next, infosec researchers caught the tracks of an Android spyware called SunBird. Although it was discovered at a later point, it is believed that SunBird is older than ChatSpy. Hornbill is the latest Confucius-associated malware to be observed in active campaigns.