Two variants of Android spyware connected to pro-India, state-sponsored hacking campaigns have been discovered. Hornbill and SunBird, have been linked to Confucius, an advanced persistent threat (APT) group thought to be state-sponsored and to have pro-India ties. First detected in 2013, Confucius has been linked to attacks against government entities in Southeast Asia, as well as targeted strikes against Pakistani military personnel, Indian election officials, and nuclear agencies.
Mobile apps containing the malware appear to be hosted outside of Google Play and are offered as software packages including the fake “Google Security Framework,” local news aggregators, Islam-related apps, and sports software. According to Lookout, the majority of these malicious apps appear to target the Muslim population.