Pro-India hackers use Android spyware to spy on Pakistani military

 

Image © to bleeping computer

This week a report has revealed details on two Android spyware strains leveraged by state-sponsored threat actors during the India-Pakistan conflict.

The malware strains named Hornbill and SunBird have been delivered as fake Android apps (APKs) by the Confucius advanced persistent threat group (APT), a pro-India state-sponsored operation known to spy on Pakistani and South Asian targets, since at least 2013.

Although Confucius has created Windows malware in the past, the group has extended its capabilities to mobile malware since 2017 when the spying app ChatSpy came into existence.

The apps used by the group contain advanced capabilities including taking photos from the camera, requesting elevated privileges, scraping WhatsApp messages, and uploading all this information to the servers of the APT group.

Spies on Pakistan’s military, nuclear facilities via fake apps

A report from California-based cybersecurity firm Lookout has revealed counterfeit Android apps laden with malware that was used by pro-India actors to spy on Pakistan’s military and nuclear authorities, in addition to Kashmir’s election officials.

Counterfeit Android apps published by the group include  “Google Security Framework,” and apps with a regional significance such as, “Kashmir News”, “Falconry Connect”, “Mania Soccer” and “Quran Majeed” as a part of this espionage operation.

According to Lookout researchers Apurva Kumar and Kristin Del Rosso, the apps associated with SunBird have a more extensive set of capabilities than Hornbill and keep running their data exfiltration sequence at regular intervals.

“Locally on the infected device, the data is collected in SQLite databases which are then compressed into ZIP files as they are uploaded to C2 infrastructure,” state the researchers.

The following kinds of data is gathered by SunBird and sent to the threat actors.

• List of installed applications
• Browser history
• Calendar information
• BlackBerry Messenger (BBM) audio files, documents and images
• WhatsApp Audio files, documents, databases, voice notes and images
• Content sent and received via IMO instant messaging application

Apps powered by SunBird can also perform the following actions:

• Download attacker specified content from FTP shares
• Run arbitrary commands as root, if possible
• Scrape BBM messages and contacts via accessibility services
• Scrape BBM notifications via accessibility services
   

The researchers analyzed over 18 GB of exfiltrated data obtained from six or more publicly exposed C2 servers.

This leaked data revealed the nation-state actors' targets included potential candidates for Pakistan Atomic Energy Commission, individuals with close links to Pakistan Air Force (PAF), and the election officers who oversee the electoral process within the Pulwama district of Kashmir.

©Source : bleepingcomputer.com