Pro-India hacking group expands mobile malware arsenal

Lookout found links between commercial stalkerware and the suspected state-backed activity.
Flag of India (Adam Jones / Flickr)

A pro-India hacking group has been using two kinds of invasive Android surveillance software to spy on hundreds of victims’ cell phones for years, according to Lookout research published Thursday.

The malware, which the researchers have dubbed SunBird and Hornbill, are capable of exfiltrating several kinds of sensitive data, including text messages, call logs, contacts, the contents of encrypted messaging applications and target geolocation. The spyware also allows hackers to take pictures with the targets’ cameras or take screenshots of their devices, according to the research.

It’s the kind of information that could reveal targets’ most sensitive and secretive day-to-day lives.

In order to assess the scope of the operation and its victims, Lookout researchers examined 18GB of data that were incidentally exposed as a result of the hackers insecurely configuring command and control servers. Overall, the attackers targeted 156 victims with phone numbers from India, Pakistan and Kazakhstan over the last several years, according to Lookout.


Targets included someone who was applying for a position to work at the Pakistan Atomic Energy Commission, an agency which “may be of particular interest to a state sponsored actor aligned with India,” the researchers note in their report. India and Pakistan have long had strained ties over the ongoing territorial conflict over Kashmir.

Other targets included people with contacts at the Pakistan Air Force and officials working on election issues in a district in Kashmir just after a suicide bombing had taken place there, according to Lookout.

SunBird and Hornbill date back to 2016 and 2018 respectively, but the timing of Hornbill’s most recent updates suggest it could still be in active use today, Lookout said.

Lookout researchers suspect the operation is connected with the advanced persistent threat group known Confucius, which has long had a penchant for going after targets in Pakistan and South Asia broadly, according to previous research from Trend Micro. One of SunBird’s command and control domains resolved to an IP address that has overlaps with known Confucius infrastructure, for instance, Lookout found. Hornbill, like Confucius, tends to imitate legitimate chat applications and has other similarities, according to Lookout.

Confucius is believed to have been active since at least 2013. While previous research has indicated that the Confucius group has turned to mobile spying tools at least once before to exploit victims, the new findings from Lookout suggest the group has been using mobile spying techniques far longer than previously thought.


The majority of the data that appeared to have been exfiltrated using SunBird zeroed in on call logs, according to the exfiltrated data. But some of the most concerning surveillance carried out by the threat actors behind SunBird and Hornbill is rooted in the malware’s ability to monitor encrypted chat applications, said Apurva Kumar, staff security intelligence engineer at Lookout.

“One characteristic of Hornbill and SunBird that stands out is their intense focus on exfiltrating a target’s communications via WhatsApp,” said Kumar. “In both cases, the surveillanceware abused the Android accessibility services in a variety of ways to exfiltrate communications without the need for root access. SunBird can also record calls made through WhatsApp’s VoIP service, exfiltrate data on applications such as BlackBerry Messenger … as well as execute attacker-specified commands on an infected device.”

Connections to commercial surveillance

Lookout’s findings expose some possible connections between the suspected state-sponsored activity and several commercial surveillance software operations.

The origins of the Hornbill malware, appear to be connected with a particularly pernicious commercial spyware product used to target romantic partners called MobileSpy. The Federal Trade Commission recently took action against the MobileSpy developer, Retina-X, for lacking security practices. SunBird also appeared to have code overlaps with another so-called stalkerware strain called BuzzOut, which was developed by India-based cyber-operators, according to the researchers.


It was not clear if the developers of the commercial surveillance software were involved in the creation of the surveillance software used by the pro-India hacking group, but Retina-X closed down operations in 2018 after it was hacked twice.

But the discovery that there are overlaps between the suspected state-backed operation and the commercial spyware products in India suggests the state-sponsored hackers in India are at least aware of, if not drawing inspiration from, commercial surveillance shops.

Some of the exfiltrated data researchers found on SunBird’s infrastructure through the investigation reveal further connections with other stalkerware operations, according to Lookout. The information on the infrastructure, for instance, contained information about stalkerware victims that were traveling in India and the United Arab Emirates, as well as Pakistani nationals and victims in the U.S. and Europe.

“Based on the locale and country code information of infected devices and exfiltrated content, we think SunBird may have roots as a commercial Android surveillanceware,” the researchers write in the report.

India’s ecosystem of surveillance services and spyware technology has been exploding in recent years. India-based cybersecurity firms such as BellTroX, have been acting as a cyber mercenary group and hacking targets around the world on behalf of clients. Another hack-for-hire shop, called CostaRicto, has been running cyber-operations against Indian targets, according to previous BlackBerry research.


Spyware developed by Israeli software surveillance company NSO Group has also reportedly been leveraged against human rights activists in India, according to Citizen Lab and Amnesty International.

Governments have begun paying attention to the harms that the export of invasive surveillance tools can cause, and are working to change the rules of the road on the sale and transfer of spyware. The European Parliament has been working in recent months, for instance, to curtail the exportation of dual use surveillance technologies that could be used for both legitimate and malicious reasons.

Amnesty International has tried to curtail NSO Group’s export license in Israeli court in order to try preventing its software from being used to target human rights defenders, journalists and dissidents.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts