S1077: Hornbill
Analyst context for executives and security teams
Hornbill is an Android malware family associated in ATT&CK with Confucius and described as focused on passive reconnaissance. Its practical significance is not just “mobile spyware”; the related techniques show a device-level collection pattern that can expose contacts, call logs, notifications, location, audio/video, screenshots, local files, application data, installed software, and network/Wi-Fi details, with exfiltration over web-based command-and-control channels. For leaders, this makes unmanaged or weakly governed Android devices a potential source of business, identity, and physical-location intelligence leakage.
Executive priority
Prioritize Hornbill as a mobile security and sensitive-user risk scenario, especially where Android devices are used by executives, government-facing staff, travelers, field personnel, or personnel with access to regulated or confidential communications. The decision value is to confirm whether the organization can inventory Android apps, review high-risk permissions, detect suspicious outbound mobile traffic, preserve mobile evidence during incidents, and prove to auditors that mobile access to sensitive data is governed. Because ATT&CK provides no official detection text for Hornbill, coverage should be validated through control and telemetry checks rather than assumed.
Technical view
Hornbill is listed for the Android platform and has relationships to techniques covering discovery, collection, evasion, device administrator abuse, file deletion, and exfiltration. SOC and IR teams should validate visibility around Android application permissions and behaviors including RECORD_AUDIO, camera access, location access, notification access, contact and call log access, MediaProjection/screen capture prompts, device administrator privileges, local/external storage access, installed-app enumeration, network/Wi-Fi discovery, and outbound HTTP/HTTPS communications. Detection engineering should focus on behavioral clustering: a single Android app requesting or using multiple sensitive permissions, mimicking legitimate names or icons, collecting local data, and communicating externally over web protocols.
Likely telemetry
- Mobile device management or enterprise mobility inventory for Android device ownership, OS version, installed applications, package names, and device administrator status
- Android application permission grants and runtime permission changes for microphone, camera, location, contacts, call logs, notification access, storage, and screen capture-related capabilities
- Mobile threat defense or endpoint telemetry for suspicious app reputation, package-name/icon impersonation, user-evasion behavior, and high-risk permission combinations
- Network telemetry from managed mobile devices or secure gateways showing outbound HTTP/HTTPS destinations, timing, volume, and unusual C2-like patterns
- Device and app logs where available for file access, local storage reads, deletion activity, installed-app enumeration, and network/Wi-Fi configuration queries
Detection direction
- Do not rely on a Hornbill-specific signature alone; ATT&CK does not provide official detection guidance for this object. Validate behavior-based coverage against the related techniques.
- Tune for combinations of sensitive Android permissions and behaviors rather than any single permission, since legitimate apps may request microphone, camera, location, contacts, or notification access for valid reasons.
- Review apps that request device administrator privileges or notification access together with collection-oriented permissions, especially if the app name, icon, or package appears to mimic a legitimate application.
- Correlate local collection indicators with outbound web protocol traffic, because the relationship set includes Exfiltration Over C2 Channel and Web Protocols.
- Account for blind spots on personally owned or unmanaged Android devices, devices not routed through enterprise network controls, and environments without mobile threat defense or MDM telemetry.
Mitigation priorities
- Establish or verify Android device inventory and ownership for users handling sensitive communications or data.
- Enforce mobile application governance: restrict unknown or untrusted app sources, review high-risk permissions, and remove apps that mimic legitimate brands or request unjustified access.
- Limit and monitor device administrator privileges, notification access, background location access, microphone/camera access, contacts, call logs, and storage permissions according to business need.
- Route managed mobile traffic through monitored controls where feasible and retain network evidence sufficient to investigate suspicious HTTP/HTTPS exfiltration patterns.
- Prepare mobile incident response procedures for evidence preservation, app triage, user interview, device isolation, and credential/session review when a mobile collection implant is suspected.
Analyst notes and limits
The ATT&CK object describes Hornbill as one of two mobile malware families known to be used by Confucius and notes analysis suggesting activity beginning in early 2018. The relationship set is more operationally useful than the short malware description: it maps Hornbill to Android-focused discovery, collection, evasion, privilege, deletion, and exfiltration behaviors. The most important defensive question is whether mobile telemetry is sufficient to connect sensitive permission use, local data access, impersonation, and outbound communications into one investigation story.
Official ATT&CK detection text is not provided, tactics are not specified in the supplied object, and the description depends on a cited external analysis. This take does not assert current exploitation, customer exposure, or guaranteed detection. Local app inventory, mobile telemetry, user population, device management status, and network visibility are required to assess actual risk and coverage.
Hornbill
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422 | System Network Configuration Discovery | Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1636.003 | Contact List Sub-technique | Hornbill can collect device contacts.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1630.002 | File Deletion Sub-technique | Hornbill can delete locally gathered files after uploading them to the C2 to avoid suspicion.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1628.002 | User Evasion Sub-technique | Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1655.001 | Match Legitimate Name or Location Sub-technique | Hornbill has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1429 | Audio Capture | Hornbill can record environmental and call audio.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1437.001 | Web Protocols Sub-technique | Hornbill can use HTTP and HTTP POST to communicate information to the C2.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1426 | System Information Discovery | Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1430 | Location Tracking | |
| Mobile | T1646 | Exfiltration Over C2 Channel | Hornbill can exfiltrate data back to the C2 server using HTTP.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1517 | Access Notifications | Hornbill has monitored for SMS and WhatsApp notifications.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1420 | File and Directory Discovery | Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1418 | Software Discovery | Hornbill can search for installed applications such as WhatsApp.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1409 | Stored Application Data | Hornbill can collect voice notes and messages from WhatsApp, if installed.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1513 | Screen Capture | Hornbill can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1533 | Data from Local System | Hornbill can access images stored on external storage.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1636.002 | Call Log Sub-technique | Hornbill can gather device call logs.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1422.001 | Internet Connection Discovery Sub-technique | Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | Hornbill can request device administrator privileges.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1422.002 | Wi-Fi Discovery Sub-technique | Hornbill can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1512 | Video Capture | Hornbill can access a device’s camera and take photos.Citationlookout_hornbill_sunbird_0221 |
Groups, software, and campaigns
G0142: Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | da3a872bdef2… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
lookout_hornbill_sunbird_0221
Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
Open source URL -
[2]
mitre-attack S1077Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.