A pro-India hacking group has been using two kinds of invasive Android surveillance software to spy on hundreds of victims’ cell phones for years, according to Lookout research published Thursday
Lookout Discovered State-Sponsored Hacking Campaigns
Cybersecurity firm Lookout’s threat intelligence team discovered two novel malware strains, which they dubbed SunBird and Hornbill. Both the strains are forms of Android spyware and linked to a pro-India advanced persistent threat (APT) group called Confucius.
Hornbill is MobileSpy-based spyware, which is a commercial stalkerware app used for remotely monitoring Android devices. However, the app was deactivated in 2018. On the other hand, SunBird’s codebase is similar to BuzzOut, which is another spyware developed in India.
Confucius Targeting Southeast Asian Countries
This group is believed to be state-sponsored, which was first discovered in 2013 and has mainly targeted Southeast Asian countries so far, including Pakistan. It is now targeting targeted Pakistani military personnel and nuclear agencies along with Indian election officials in Kashmir.
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan. According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted,” Lookout researchers noted.
In order to assess the scope of the operation and its victims, Lookout researchers examined 18GB of data that were incidentally exposed as a result of the hackers insecurely configuring command and control servers. Overall, the attackers targeted 156 victims with phone numbers from India, Pakistan and Kazakhstan over the last several years, according to Lookout.
Targets included someone who was applying for a position to work at the Pakistan Atomic Energy Commission, an agency which “may be of particular interest to a state sponsored actor aligned with India,” the researchers note in their report. India and Pakistan have long had strained ties over the ongoing territorial conflict over Kashmir.
Other targets included people with contacts at the Pakistan Air Force and officials working on election issues in a district in Kashmir just after a suicide bombing had taken place there, according to Lookout.
Malware Records WhatsApp Conversations
The malware, which the researchers have dubbed SunBird and Hornbill, are capable of exfiltrating several kinds of sensitive data, including text messages, call logs, contacts, the contents of encrypted messaging applications and target geolocation.
The spyware also allows hackers to take pictures with the targets’ cameras or take screenshots of their devices, according to the research.
Both Hornbill and SunBird abuse Android accessibility services to exfiltrate WhatsApp conversations without needing a jailbroken device or root access.

The spyware employs different tactics to conduct espionage. Hornbill serves as a ‘discreet surveillance tool’ that steals selective data. SunBird has all the functionalities found in a remote access trojan (RAT). It performs remote hijacking of the device and deploys additional malware.
Malicious Apps Distributing Spyware
The malware is distributed via mobile apps hosted on third-party platforms. These apps are offered as software packages of local news aggregators, sports software, Islam-related apps, and a fake Google Security Framework. It becomes apparent that the main target of the malware is the Muslim population.

According to Lookout’s analysis, both malware variants steal similar kinds of data, including device identifiers, WhatsApp voice notes, call logs, contact lists, and GPS data. These can request administrator privileges, capture screenshots, and photos, and record audio not only when calls are taking place but also as environmental noise.
SunBird can also collect browser history, calendar information, WhatsApp documents, images, databases, and BlackBerry Messenger content and uploads the stolen data to a C2 server more regularly than Hornbill.
Connections to commercial surveillance
Lookout’s findings expose some possible connections between the suspected state-sponsored activity and several commercial surveillance software operations.
The origins of the Hornbill malware, appear to be connected with a particularly pernicious commercial spyware product used to target romantic partners called MobileSpy. The Federal Trade Commission recently took action against the MobileSpy developer, Retina-X, for lacking security practices. SunBird also appeared to have code overlaps with another so-called stalkerware strain called BuzzOut, which was developed by India-based cyber-operators, according to the researchers.
It was not clear if the developers of the commercial surveillance software were involved in the creation of the surveillance software used by the pro-India hacking group, but Retina-X closed down operations in 2018 after it was hacked twice.
But the discovery that there are overlaps between the suspected state-backed operation and the commercial spyware products in India suggests the state-sponsored hackers in India are at least aware of, if not drawing inspiration from, commercial surveillance shops.
Some of the exfiltrated data researchers found on SunBird’s infrastructure through the investigation reveal further connections with other stalkerware operations, according to Lookout. The information on the infrastructure, for instance, contained information about stalkerware victims that were traveling in India and the United Arab Emirates, as well as Pakistani nationals and victims in the U.S. and Europe.
“Based on the locale and country code information of infected devices and exfiltrated content, we think SunBird may have roots as a commercial Android surveillanceware,” the researchers write in the report.
India’s ecosystem of surveillance services and spyware technology has been exploding in recent years. India-based cybersecurity firms such as BellTroX, have been acting as a cyber mercenary group and hacking targets around the world on behalf of clients.
Another hack-for-hire shop, called CostaRicto, has been running cyber-operations against Indian targets, according to previous BlackBerry research.
Spyware developed by Israeli software surveillance company NSO Group has also reportedly been leveraged against human rights activists in India, according to Citizen Lab and Amnesty International.
Governments have begun paying attention to the harms that the export of invasive surveillance tools can cause, and are working to change the rules of the road on the sale and transfer of spyware.
The European Parliament has been working in recent months, for instance, to curtail the exportation of dual use surveillance technologies that could be used for both legitimate and malicious reasons.
Amnesty International has tried to curtail NSO Group’s export license in Israeli court in order to try preventing its software from being used to target human rights defenders, journalists and dissidents.