Malware SunBird and Hornbill

The cybersecurity experts of the Threat Intelligence firm have recently discovered two new spyware named Hornbill and SunBird. These two variants of Android spyware are related to the pro-India advanced persistent threat (APT) group.

The experts affirmed that these two malware strains had been linked to Confucius; however, it was first detected in 2013 as a state-sponsored, pro-India actor, which was primarily stalking Pakistani and other South Asian targets.


After the discovery of SunBird and Hornbill, the results show that Confucius may have been spying on mobile users up to a year before it began using the ChatSpy. 

The cybersecurity researchers asserted that Hornbill is MobileSpy-based spyware, it is a commercial stalkerware app that is used for remotely controlling Android devices, but later Hornbill gets deactivated in 2018. 

SunBird’s codebase is quite related to BuzzOut, which is another spyware that was developed in India. However, SunBird includes a Remote Access Trojan (RAT) functionality that allows the additional deployment of malware and remote hijacking.

Abilities of SunBird and Hornbill

Here are the wide range of data exfiltration abilities SunBird and Hornbill has:-

  • Geolocation
  • Contacts
  • Device metadata including phone number, IMEI/Android ID, Model and Manufacturer, and Android version
  • Images stored on external storage
  • Call Logs
  • WhatsApp voice notes, if it is installed.

Here are actions that are performed by both Hornbill and SunBird:-

  • Request device manager privileges.
  • Scrape WhatsApp notifications through accessibility services.
  • Take screenshots, capturing whatever a victim is currently seeing on their device.
  • Record environment and call audio.
  • Take photos along with the device camera.
  • Scrape WhatsApp messages and contacts through accessibility services.


The experts have investigated over 18GB of exfiltrated data that was openly exhibited from at least six insecurely configured C2 servers. The data that was included in the C2 servers are the locale of the infected devices.

The whole data that were obtained from the C2 servers help the experts to know that who are the victims, and what kind of data the threat actors are looking for.

Apart from this, the report asserts that 156 victims were found in this new dataset, and it also included phone numbers from India, Pakistan, and Kazakhstan. 

Development and Commercial Surveillance Roots of the Malware

The Hornbill and SunBird both the malware resemble to be developed versions of commercial Android surveillance tooling.

But it is still unclear how the developers of Hornbill obtained the code, though the company after MobileSpy, Retina-X Studios, has already shut down their surveillance software results in May 2018 after being hacked two times continuously.

After analyzing the data of SunBird, it resembles to have been designed by Indian developers who have also created another commercial spyware product, that was dubbed as BuzzOut.

Confucius Connection

The experts opined that Hornbill samples often represent chat applications like Fruit Chat, Cucu Chat, and Kako Chat. However, the Confucius group is very well known for representing legitimate services to disguise their tracks and obscure its victims easily.

In an investigation, the experts have discovered that Hornbill C2 infrastructure treated HTML resources that are compatible with a commercial spyware page, but the image resources were missing.

The experts confirmed by declaring that they are confident that SunBird and Hornbill are two tools that are used by the corresponding threat actors, possibly for different surveillance persistence.

You can follow us on LinkedinTwitterFacebook for daily Cyber security and hacking news updates.

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.