Skip to content

S1077 Hornbill

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.1

Item Value
ID S1077
Associated Names
Type MALWARE
Version 1.0
Created 09 June 2023
Last Modified 07 October 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
mobile T1626 Abuse Elevation Control Mechanism -
mobile T1626.001 Device Administrator Permissions Hornbill can request device administrator privileges.1
mobile T1517 Access Notifications Hornbill has monitored for SMS and WhatsApp notifications.1
mobile T1437 Application Layer Protocol -
mobile T1437.001 Web Protocols Hornbill can use HTTP and HTTP POST to communicate information to the C2.1
mobile T1429 Audio Capture Hornbill can record environmental and call audio.1
mobile T1533 Data from Local System Hornbill can access images stored on external storage.1
mobile T1646 Exfiltration Over C2 Channel Hornbill can exfiltrate data back to the C2 server using HTTP.1
mobile T1420 File and Directory Discovery Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.1
mobile T1628 Hide Artifacts -
mobile T1628.002 User Evasion Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.1
mobile T1630 Indicator Removal on Host -
mobile T1630.002 File Deletion Hornbill can delete locally gathered files after uploading them to the C2 to avoid suspicion.1
mobile T1430 Location Tracking Hornbill can access a device’s location and check if GPS is enabled. Hornbill has logic to only log location changes greater than 70 meters.1
mobile T1655 Masquerading -
mobile T1655.001 Match Legitimate Name or Location Hornbill has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.1
mobile T1636 Protected User Data -
mobile T1636.002 Call Log Hornbill can gather device call logs.1
mobile T1636.003 Contact List Hornbill can collect device contacts.1
mobile T1513 Screen Capture Hornbill can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.1
mobile T1418 Software Discovery Hornbill can search for installed applications such as WhatsApp.1
mobile T1409 Stored Application Data Hornbill can collect voice notes and messages from WhatsApp, if installed.1
mobile T1426 System Information Discovery Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.1
mobile T1422 System Network Configuration Discovery Hornbill can collect a device’s phone number and IMEI, and can check to see if WiFi is enabled.1
mobile T1422.001 Internet Connection Discovery Hornbill can collect a device’s phone number and IMEI, and can check to see if WiFi is enabled.1
mobile T1422.002 Wi-Fi Discovery Hornbill can collect a device’s phone number and IMEI, and can check to see if Wi-Fi is enabled.1
mobile T1512 Video Capture Hornbill can access a device’s camera and take photos.1

Groups That Use This Software

ID Name References
G0142 Confucius 1

References

  1. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.