Lookout
Threat Guidances
Malware
Spyware
Android
February 11, 2021

Hornbill and Sunbird - Android Surveillanceware/RAT

How Lookout Detects and Protects Against Surveillanceware Campaigns

Lookout Security Intelligence teams are continuously discovering and researching new threats to protect and advise our customers. We do this by combining static and dynamic analysis with our machine learning engine. Devices with Lookout installed can detect and be alerted to these two families and Lookout also protects against other sophisticated surveillanceware that could go undetected.

Key Findings

  • These malware tools have advanced surveillanceware and data exfiltration capabilities.
  • Social engineering is likely the key distribution channel to targeted individuals.
  • Over 18GB of exfiltrated data from at least six C2 servers was discovered and analyzed.

Background and Discovery Timeline

The Lookout Threat Intelligence team has discovered new Android surveillanceware with sophisticated capabilities. SunBird features remote access trojan (RAT) capabilities that can execute commands on an infected device directly from the attacker while Hornbill operates as a discreet surveillanceware tool that extracts particular data of interest to the attacker.

Capabilities and Affected Parties

Each of these tools has been used to target personnel linked to Pakistan’s military, nuclear authorities, and Indian election officials in Kashmir. Both Hornbill and Sunbird

appear to be evolved versions of pre-existing commercial surveillanceware. There is also evidence of them being present across Europe, Southeast Asia, Russia, and the United States.

Considering that apps infected with these two pieces of malware are distributed via third party app stores, social engineering is likely the most effective way that they’re distributed. Both pieces of malware have extensive surveillance and data exfiltration capabilities including access to:

-Call logs -Geolocation - Contacts - SMS Messages  - Photos  -Installed apps  -Browser history  -WhatsApp messages  -Calendar

-Requesting Admin Privileges -Taking screenshots & photos - Recording audio & calls  - Scraping WhatsApp messages and contacts

Authors

Lookout

Cloud & Endpoint Security

Lookout is a cybersecurity company that makes it possible for tens of millions of individuals, enterprises and government agencies to be both mobile and secure. Powered by a dataset of virtually all the mobile code in the world -- 40 million apps and counting -- the Lookout Security Cloud can identify connections that would otherwise go unseen and predict and stop mobile attacks before they do harm. The world’s leading mobile network operators, including AT&T, Deutsche Telekom, EE, KDDI, Orange, Sprint, T-Mobile and Telstra, have selected Lookout as its preferred mobile security solution. Lookout is also partnered with such enterprise leaders as AirWatch, Ingram Micro, Microsoft, and MobileIron. Headquartered in San Francisco, Lookout has offices in Amsterdam, Boston, London, Sydney, Tokyo, Toronto and Washington, D.C.

Discovered By
Lookout
Entry Type
Threat Guidances
Threat Type
Malware
Threat Type
Spyware
Platform(s) Affected
Android
Platform(s) Affected
Lookout
Threat Guidances
Malware
Spyware
Android

Related Content

BancaMarStealer

A customizable Malware-as-a-Service banking trojan delivered through any app with messaging capabilities.

Read Threat Article

Lookout Phishing AI Discovers Campaign Targeting Verizon Employees

Phishing AI discovered this campaign targeting Verizon employees on mobile devices.

Read Threat Article

Lookout Discovers Android Spyware Tied to Iranian Police Targeting Minorities: BouldSpy

Researchers at the Lookout Threat Lab have discovered a new Android surveillance tied to the Law Enforcement Command of the Islamic Republic of Iran (FARAJA).

Read Threat Article

Stop Cyberattacks Before They Start With Industry-Leading Threat Intelligence.

Schedule Demo
HeaderHeaderHeaderHeader
CellCellCellCell
CellCellCellCell
CellCellCellCell
CellCellCellCell