Lookout Discovers Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict

by Riyaz ul Khaliq

Authors: Apurva Kumar, Kristin Del Rosso
Affiliation: Lookout
Organization/Publisher: Lookout
Date/Place: February 10, 2021/USA
Type of Literature: Report
Word Count: 2,600
Link: https://blog.lookout.com/lookout-discovers-novel-confucius-apt-android-spyware-linked-to-india-pakistan-conflict
Keywords: Pakistan, Kashmir, Security, India, Spying, Malware, elections, Android, Pakistan military, Kashmir conflict.


After a massive exposéby EU DisInfo Lab late last year regarding India’s 15-year-long anti-Pakistan and anti-Kashmir propaganda network of over 750 websites in over 100 countries, two Android-based programs have been identified as pro-India malware used for spying on the Pakistani military. This exposure by US-based company Lookout has identified that Hornbill and SunBirdare being used by an advanced persistent threat (APT) group named Confucius, which first appeared in 2013 as “a state-sponsored, pro-India actor primarily pursuing Pakistani and other South Asian targets.”Their targets had been officials linked to the Pakistani military, nuclear authorities, and Indian election officials in Indian-occupied Kashmir. It says such software has sophisticated capabilities to “exfiltrate SMS, encrypted messaging app content, and geolocation, among other types of sensitive information.”In its digital investigations, the researchers found that notable targets included an individual who applied for a position at the Pakistan Atomic Energy Commission, individuals with numerous contacts in the Pakistan Air Force as well as officers responsible for electoral rolls located in Pulwama district of Kashmir. It added that the timing and location of the snooping on election officials was significant as Pulwama had just suffered a massive suicide bombing attack in February 2019, tensions had escalated between India and Pakistan with India bombing sites within Pakistan, then the active monitoring started.“SunBird has been disguised as applications that include Security services, such as the fictional ‘Google Security Framework’, Apps tied to specific locations ‘Kashmir News’ or activities ‘Falconry Connect’ and ‘Mania Soccer’; Islam-related applications ‘Quran Majeed’,” the report said. Both malware programs are circulated as fake Android apps, but if accessed by end-user, they can access users’ call logs, contacts, images, browser history, and they take screenshots and photos with the device camera.

By: Riyaz ul Khaliq, Non-Resident CIGA Research Associate

You may also like