S1082: Sunbird
Analyst context for executives and security teams
Sunbird matters because it represents Android spyware behavior with a broad collection profile: device discovery, local and application data access, contact/calendar/call log collection, location tracking, audio/video/screen capture, archiving, tool transfer, shell execution, device administrator abuse, and exfiltration over a command-and-control channel. For leaders, the practical issue is not just “malware on a phone”; it is whether mobile devices used by executives, field staff, government-facing teams, or sensitive operations can leak communications, location, media, and business context without the same visibility applied to endpoints.
Executive priority
Prioritize Sunbird as a mobile security and incident-readiness validation case for Android environments handling sensitive communications or personnel movement. The ATT&CK relationship to Confucius, a group described as targeting military personnel, high-profile personalities, business persons, and government organizations in South Asia, makes this especially relevant for travel risk, executive protection, government engagement, and bring-your-own-device governance. Executives should ask whether mobile telemetry, app permission governance, device administrator monitoring, and incident response procedures are mature enough to prove what data a compromised Android device could expose.
Technical view
SOC, detection engineering, and IR teams should map Sunbird coverage across its ATT&CK relationships rather than relying on a single malware signature. Validate Android visibility for suspicious use of sensitive permissions and APIs associated with stored application data, installed application enumeration, system and network discovery, microphone, camera, screen capture, location, calendar, call log, contacts, local file access, archive creation, inbound tool/file transfer, Unix shell use, device administrator permission abuse, and C2-based exfiltration. Because ATT&CK provides no official detection text for this object and no tactics are specified, teams should build coverage around the related techniques and local mobile device management, mobile threat defense, network, and incident-response evidence sources.
Likely telemetry
- Android application inventory and package metadata
- Application permission requests and grants, especially microphone, camera, location, contacts, calendar, call log, storage, screen capture, and device administrator privileges
- Mobile device management or enterprise mobility management compliance state
- Mobile threat defense alerts and behavioral findings
- Android device logs where available, including app install/update/removal and administrative privilege changes
Detection direction
- Start with permission and behavior correlation: sensitive permission use becomes more material when paired with discovery, local data access, archiving, or unusual outbound communications.
- Tune for context, because many permissions such as contacts, calendar, location, microphone, and camera can be legitimate for business apps; prioritize unexpected apps, sideloaded apps, rarely used apps, or apps inconsistent with business function.
- Validate monitoring for Android device administrator permission changes, as this relationship can affect removal difficulty and device control.
- Check whether mobile network telemetry can associate traffic with device and application identity; without that linkage, C2-channel exfiltration may be difficult to investigate.
- Confirm whether screen capture and MediaProjection-style activity are visible in the managed fleet; this is a common blind spot compared with traditional endpoint monitoring.
Mitigation priorities
- Inventory Android devices and define which populations require managed mobile controls, especially executives, travelers, and users handling sensitive communications.
- Enforce application governance: restrict untrusted app sources where appropriate, review installed applications, and remove apps inconsistent with business need.
- Apply least-privilege permission practices for mobile apps, with special scrutiny on microphone, camera, location, contacts, calendar, call log, storage, screen capture, and device administrator permissions.
- Use mobile device management or equivalent controls to maintain patch posture, enforce compliance, and support rapid containment or wipe decisions when policy allows.
- Prepare IR playbooks for suspected Android spyware that include preservation limits, device isolation, account/token review, and assessment of exposed contacts, messages, files, location, and media.
Analyst notes and limits
This take is based on ATT&CK software S1082 Sunbird, its official description, the Lookout external reference cited by ATT&CK, and the supplied relationships. ATT&CK states Sunbird is one of two mobile malware families known to be used by Confucius and that analysis suggests activity began in early 2017. The relationship set indicates extensive Android-relevant collection, discovery, execution, privilege, staging, transfer, and exfiltration behaviors.
ATT&CK provides no official detection guidance, no tactics for this object in the supplied fields, and no aliases or labels. This summary does not assess current activity, customer exposure, specific indicators, or guaranteed detection. Local device management architecture, Android version mix, app inventory, telemetry access, and legal/privacy constraints will determine what can actually be monitored or investigated.
Sunbird
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Mobile | T1422 | System Network Configuration Discovery | Sunbird can exfiltrate phone number and IMEI.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1623.001 | Unix Shell Sub-technique | Sunbird can try to run arbitrary commands as root.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1429 | Audio Capture | Sunbird can record environmental and call audio.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1513 | Screen Capture | Sunbird can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notificationsCitationlookout_hornbill_sunbird_0221 |
| Mobile | T1626.001 | Device Administrator Permissions Sub-technique | Sunbird can request device administrator privileges. Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1533 | Data from Local System | Sunbird can access images stored on external storage.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1426 | System Information Discovery | Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1430 | Location Tracking | Sunbird can access a device’s location.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1636.002 | Call Log Sub-technique | Sunbird can exfiltrate call logs.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1636.003 | Contact List Sub-technique | Sunbird can exfiltrate a device's contacts.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1544 | Ingress Tool Transfer | Sunbird can download adversary specified content from FTP shares.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1409 | Stored Application Data | Sunbird can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1418 | Software Discovery | Sunbird can exfiltrate a list of installed applications.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1646 | Exfiltration Over C2 Channel | Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1532 | Archive Collected Data | Sunbird can exfiltrate collected data as a ZIP file.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1512 | Video Capture | Sunbird can access a device’s camera and take photos.Citationlookout_hornbill_sunbird_0221 |
| Mobile | T1636.001 | Calendar Entries Sub-technique | Sunbird can exfiltrate calendar information.Citationlookout_hornbill_sunbird_0221 |
Groups, software, and campaigns
G0142: Confucius
Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 31b6e569557f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
lookout_hornbill_sunbird_0221
Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
Open source URL -
[2]
mitre-attack S1082Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.