1. Home
  2. Software
  3. Sunbird

Sunbird

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.[1]

ID: S1082
Type: MALWARE
Platforms: Android
Version: 1.0
Created: 04 August 2023
Last Modified: 07 October 2023
Mobile Layer
download view

Techniques Used

Domain ID Name Use
Mobile T1626 .001 Abuse Elevation Control Mechanism: Device Administrator Permissions

Sunbird can request device administrator privileges. [1]
Mobile T1532 Archive Collected Data

Sunbird can exfiltrate collected data as a ZIP file.[1]
Mobile T1429 Audio Capture

Sunbird can record environmental and call audio.[1]
Mobile T1623 .001 Command and Scripting Interpreter: Unix Shell

Sunbird can try to run arbitrary commands as root.[1]
Mobile T1533 Data from Local System

Sunbird can access images stored on external storage.[1]
Mobile T1646 Exfiltration Over C2 Channel

Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.[1]
Mobile T1544 Ingress Tool Transfer

Sunbird can download adversary specified content from FTP shares.[1]
Mobile T1430 Location Tracking

Sunbird can access a device’s location.[1]
Mobile T1636 .001 Protected User Data: Calendar Entries

Sunbird can exfiltrate calendar information.[1]
.002 Protected User Data: Call Log

Sunbird can exfiltrate call logs.[1]
.003 Protected User Data: Contact List

Sunbird can exfiltrate a device's contacts.[1]
Mobile T1513 Screen Capture

Sunbird can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications[1]
Mobile T1418 Software Discovery

Sunbird can exfiltrate a list of installed applications.[1]
Mobile T1409 Stored Application Data

Sunbird can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.[1]
Mobile T1426 System Information Discovery

Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.[1]
Mobile T1422 System Network Configuration Discovery

Sunbird can exfiltrate phone number and IMEI.[1]
Mobile T1512 Video Capture

Sunbird can access a device’s camera and take photos.[1]

Groups That Use This Software

ID Name References
G0142 Confucius

[1]

References

  1. Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.