US: Pro-India malware spying on Pakistan military

Feb 19, 2021 | Communication Blockade

Both malware, circulated as fake Android apps, can access users’ call logs, contacts, images, browser history


Two malware programs on an Android-based platform that emerged in India have been spying on the Pakistani military, according to a US-based cybersecurity company.

In a Feb. 10 statement, Lookout said it has discovered the two malware, Hornbill and SunBird, which are used by a cyber group named Confucius that first appeared in 2013 as “a state-sponsored, pro-India actor primarily pursuing Pakistani and other South Asian targets.”

“Targets of these tools include personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir,” the statement said.

“Hornbill and SunBird have sophisticated capabilities to exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information,” it added.

Confucius had created in the past malware for Windows operating systems, but the group has been known developing mobile malware since 2017 when the spying app ChatSpy was created.

While SunBird has a remote access function that can execute commands on a device by an attacker, Hornbill is a surveillance tool that can extract data from users.

“SunBird has been disguised as applications that include Security services, such as the fictional “Google Security Framework”, Apps tied to specific locations (“Kashmir News”) or activities (“Falconry Connect” and “Mania Soccer”), Islam-related applications (“Quran Majeed”),” the report said.

The majority of applications appear to target Muslim individuals, the report added.

Both malware, which is circulated as fake Android apps, can access users’ call logs, contacts, images, browser history, and they take screenshots and photos with the device camera.

Some major targets included an ”individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force (PAF), as well as officers responsible for electoral rolls (Booth Level Officers) located in the Pulwama district of Kashmir”, the analysis found.

“The data included information on victims in Europe and the United States, some of which appear to be targets of spouse ware or stalkerware. It also included data on Pakistani nationals in Pakistan, India, and the United Arab Emirates that we believe may be targeted by Confucius APT campaigns between 2018 and 2019,” the detailed report added.

Written by: Ovunc Kutlu | Anadolu Agency