Severity

High

Analysis Summary

Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.  

Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake “Google Security Framework,” local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population.

Impact

• Spyware
• Exposure of sensitive data 
• Information theft and espionage 

Indicators of Compromise

Filename

falconry-connect_2[.]0[.]apk

MD5

91df5d08f8732362f8620e793bfba109

SHA-256

f615bb459a91d76ee8a56661666fc450297dd9f9736dbe5b3efda7fb2f2ade70

SHA1

1b5f4850a5b7eea0f69f44c71f6b10041952cd32

Remediation

• Block all threat indicators at your respective controls.
• Search for IOCs in your environment.