SunBird Malware

Previously undiscovered Android spyware strain has been caught by the researchers at Lookout, a cybersecurity firm. This particular threat is believed to have been part of the threatening operations of an APT (Advanced Persistence Threat) group called Confucius. This hacker collective has been active since at least 2013 and is believed to be state-sponsored. Confucius has displayed some pro-Indian connections. Among the targets of the group are mainly Pakistani nationals, including military personnel. Other victims include nuclear agencies and Indian election officials.

SunBird was deployed in a series of attacks that took place between 2006 and 2019 when the threat was still under active development. More recent operations associated with Confucius have instead been deploying Hornbill, a new Android spyware threat that overlaps in certain areas with SunBird's functionality. SunBird, however, is the more powerful of the two malware tools with a larger set of threatening features.

The underlying code of SunBird appears to have taken some cues from the codebase of an older Indian spyware threat named BuzzOut. As an initial breach vector, the hackers used fake mobile applications hosted on unofficial platforms. To lure users into downloading them, the threatening applications assumed the identity of local news aggregators, sport-related applications, Islam-focused applications, and 'Google Security Framework.'

Once inside the target's device, SunBird acted both as a data-stealer and a RAT (Remote Access Trojan). The threat could harvest sensitive data from WhatsApp such as documents, databases, and images and then exfiltrate it to its Command-and-Control servers (C2, C&C) without the need for root access. During its data harvesting routine, SunBird also collects device identifiers, contact lists, call logs, GPS location, browser history, BlackBerry messenger content, and calendar information. SunBird will try to gain administrator privileges that will allow it to take arbitrary photos and screenshot, as well as record audio.

The attackers could leverage SunBird's RAT capabilities to drop additional malware threats onto the already compromised device.