Military, Nuclear Entities Under Target By Novel Android Malware
Reading Time: 1 Minute
Researchers have uncovered two novel Android surveillanceware families being used by an advanced persistent threat (APT) group to target military, nuclear and election entities in Pakistan and Kashmir.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
Malware Attack Targeting Military, Nuclear, Election Entities
The malware strains were seen in attacks targeting personnel linked to Pakistan’s military and various nuclear authorities, and Indian election officials in Kashmir. Kashmiris are a Dardic ethnic group native to the disputed Kashmir Valley (and a previous target for other Android malware threat actors).
“While the exact number of victims is not known across all campaigns for SunBird and Hornbill, at least 156 victims were identified in a single campaign for Sunbird in 2019 and included phone numbers from India, Pakistan, and Kazakhstan,” Kumar told Threatpost. “According to the publicly exposed exfiltrated data we were able to find, individuals in at least 14 different countries were targeted.”
For instance, attackers targeted an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force, as well as officers responsible for electoral rolls located in the Pulwama district of Kashmir.
Sunbird samples hosted on third-party app stores. Credit: Lookout
In regards to the initial attack vectors for the malware samples, researchers pointed to samples of SunBird found hosted on third-party app stores, providing a clue for one possible distribution mechanism. However, researchers have not yet found SunBird on the official Google Play marketplace.
SunBird has been disguised as applications such as security services (including a fictional “Google Security Framework”), apps tied to specific locations (like “Kashmir News”) or activities (“including “Falconry Connect” or “Mania Soccer”). Researchers said the majority of these applications appear to target Muslim individuals. Meanwhile, Hornbill applications impersonate various chat (such as Fruit Chat, Cucu Chat and Kako Chat) and system applications.
See Also: Offensive Security Tool: JTR – John the Ripper
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
“Considering many of these malware samples are trojanized – as in they contain complete user functionality – social engineering may also play a part in convincing targets to install the malware,” said Kumar and Del Rosso. “No use of exploits was observed directly by Lookout researchers.”
Malware Cybersecurity Surveillance Capabilities
Both malware families have a wide range of data exfiltration capabilities. They are able to collect call logs, contacts, device metadata (such as phone numbers, models, manufacturers and Android operating system version), geolocation, images stored on external storage and WhatsApp voice notes.
Credit: Lookout
In addition, both families can request device administrator privileges, take screenshots of whatever victims are currently viewing on their devices, take photos with the device camera, record environment and call audio and scrape WhatsApp message and contacts and WhatsApp notifications (viathe Android accessibility service feature).
SunBird has a more extensive set of malicious functionalities than Hornbill, with the ability to upload all data at regular intervals to its C2 servers. For instance, SunBird can also collect a list of installed applications on the victims’ devices, browser history, calendar information, WhatsApp Audio files, documents, databases and images and more. And, it can run arbitrary commands as root or download attacker-specified content from FTP shares.
“In contrast, Hornbill is more of a passive reconnaissance tool than SunBird,” said Kumar and Del Rosso. “Not only does it target a limited set of data, the malware only uploads data when it initially runs and not at regular intervals like SunBird. After that, it only uploads changes in data to keep mobile data and battery usage low.”
Researchers named Hornbill after the Indian Grey Hornbill, which is the state bird of Chandigarh in India, where they believe the developers of Hornbill are located. SunBird’s name, meanwhile, stemmed from the malicious services within the malware called “SunService” – and the sunbird is also native to India, they said.
style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”>
The malware families have been linked “with high confidence” to the APT Confucius. This APT has been on the cybercrime scene since 2013 as a state-sponsored, pro-India actor. The APT has previously targeted victims in Pakistan and South Asia. “We are confident SunBird and Hornbill are two tools used by the same actor, perhaps for different surveillance purposes,” said Kumar and Del Rosso. style=”display:block” data-ad-client=”ca-pub-6620833063853657″ data-ad-slot=”8337846400″ data-ad-format=”auto” data-full-width-responsive=”true”> Source: https://threatpost.com See Also: SolarWinds Supply Chain Hack – The hack that shone a light on the gaps in the cybersecurity of governments and big companies
State-Sponsored APT Behind The Cyberattack
(Click Link)
Offensive Security & Ethical Hacking Course
Begin the learning curve of hacking now!
Information Security Solutions
Find out how Pentesting Services can help you.
