S1077: Hornbill

Hornbill is an Android malware family associated in ATT&CK with Confucius and described as focused on passive reconnaissance. Its practical significance is not just “mobile spyware”; the related techniques show a device-level collection pattern that can expose contacts, call logs, notifications, location, audio/video, screenshots, local files, application data, installed software, and network/Wi-Fi details, with exfiltration over web-based command-and-control channels. For leaders, this makes unmanaged or weakly governed Android devices a potential source of business, identity, and physical-location intelligence leakage.

Executive priority

Prioritize Hornbill as a mobile security and sensitive-user risk scenario, especially where Android devices are used by executives, government-facing staff, travelers, field personnel, or personnel with access to regulated or confidential communications. The decision value is to confirm whether the organization can inventory Android apps, review high-risk permissions, detect suspicious outbound mobile traffic, preserve mobile evidence during incidents, and prove to auditors that mobile access to sensitive data is governed. Because ATT&CK provides no official detection text for Hornbill, coverage should be validated through control and telemetry checks rather than assumed.

Technical view

Hornbill is listed for the Android platform and has relationships to techniques covering discovery, collection, evasion, device administrator abuse, file deletion, and exfiltration. SOC and IR teams should validate visibility around Android application permissions and behaviors including RECORD_AUDIO, camera access, location access, notification access, contact and call log access, MediaProjection/screen capture prompts, device administrator privileges, local/external storage access, installed-app enumeration, network/Wi-Fi discovery, and outbound HTTP/HTTPS communications. Detection engineering should focus on behavioral clustering: a single Android app requesting or using multiple sensitive permissions, mimicking legitimate names or icons, collecting local data, and communicating externally over web protocols.

Likely telemetry

Mobile device management or enterprise mobility inventory for Android device ownership, OS version, installed applications, package names, and device administrator status
Android application permission grants and runtime permission changes for microphone, camera, location, contacts, call logs, notification access, storage, and screen capture-related capabilities
Mobile threat defense or endpoint telemetry for suspicious app reputation, package-name/icon impersonation, user-evasion behavior, and high-risk permission combinations
Network telemetry from managed mobile devices or secure gateways showing outbound HTTP/HTTPS destinations, timing, volume, and unusual C2-like patterns
Device and app logs where available for file access, local storage reads, deletion activity, installed-app enumeration, and network/Wi-Fi configuration queries

Detection direction

Do not rely on a Hornbill-specific signature alone; ATT&CK does not provide official detection guidance for this object. Validate behavior-based coverage against the related techniques.
Tune for combinations of sensitive Android permissions and behaviors rather than any single permission, since legitimate apps may request microphone, camera, location, contacts, or notification access for valid reasons.
Review apps that request device administrator privileges or notification access together with collection-oriented permissions, especially if the app name, icon, or package appears to mimic a legitimate application.
Correlate local collection indicators with outbound web protocol traffic, because the relationship set includes Exfiltration Over C2 Channel and Web Protocols.
Account for blind spots on personally owned or unmanaged Android devices, devices not routed through enterprise network controls, and environments without mobile threat defense or MDM telemetry.

Mitigation priorities

Establish or verify Android device inventory and ownership for users handling sensitive communications or data.
Enforce mobile application governance: restrict unknown or untrusted app sources, review high-risk permissions, and remove apps that mimic legitimate brands or request unjustified access.
Limit and monitor device administrator privileges, notification access, background location access, microphone/camera access, contacts, call logs, and storage permissions according to business need.
Route managed mobile traffic through monitored controls where feasible and retain network evidence sufficient to investigate suspicious HTTP/HTTPS exfiltration patterns.
Prepare mobile incident response procedures for evidence preservation, app triage, user interview, device isolation, and credential/session review when a mobile collection implant is suspected.

Analyst notes and limits

The ATT&CK object describes Hornbill as one of two mobile malware families known to be used by Confucius and notes analysis suggesting activity beginning in early 2018. The relationship set is more operationally useful than the short malware description: it maps Hornbill to Android-focused discovery, collection, evasion, privilege, deletion, and exfiltration behaviors. The most important defensive question is whether mobile telemetry is sufficient to connect sensitive permission use, local data access, impersonation, and outbound communications into one investigation story.

Official ATT&CK detection text is not provided, tactics are not specified in the supplied object, and the description depends on a cited external analysis. This take does not assert current exploitation, customer exposure, or guaranteed detection. Local app inventory, mobile telemetry, user population, device management status, and network visibility are required to assess actual risk and coverage.

Official MITRE ATT&CK definition

Hornbill

Hornbill is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Hornbill was first active in early 2018. While Hornbill and Sunbird overlap in core capabilities, Hornbill has tools and behaviors suggesting more passive reconnaissance.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 21 rows

Domain	ID	Name	Relationship / procedure
Mobile	T1422	System Network Configuration Discovery	Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.[1]
Mobile	T1636.003	Contact List Sub-technique	Hornbill can collect device contacts.[1]
Mobile	T1630.002	File Deletion Sub-technique	Hornbill can delete locally gathered files after uploading them to the C2 to avoid suspicion.[1]
Mobile	T1628.002	User Evasion Sub-technique	Hornbill uses an infrequent data upload schedule to avoid user detection and battery drain. It also can delete on-device data after being sent to the C2, and stores collected data in hidden folders on external storage.[1]
Mobile	T1655.001	Match Legitimate Name or Location Sub-technique	Hornbill has impersonated chat applications such as Fruit Chat, Cucu Chat, and Kako Chat.[1]
Mobile	T1429	Audio Capture	Hornbill can record environmental and call audio.[1]
Mobile	T1437.001	Web Protocols Sub-technique	Hornbill can use HTTP and HTTP POST to communicate information to the C2.[1]
Mobile	T1426	System Information Discovery	Hornbill can collect the device ID, model, manufacturer, and Android version. It can also check available storage space and if the screen is locked.[1]
Mobile	T1430	Location Tracking	Hornbill can access a device’s location and check if GPS is enabled. Hornbill has logic to only log location changes greater than 70 meters.[1]
Mobile	T1646	Exfiltration Over C2 Channel	Hornbill can exfiltrate data back to the C2 server using HTTP.[1]
Mobile	T1517	Access Notifications	Hornbill has monitored for SMS and WhatsApp notifications.[1]
Mobile	T1420	File and Directory Discovery	Hornbill has a list of file extensions that it may use to log certain operations (creation, open, close, modification, movement, deletion) on files of those types.[1]
Mobile	T1418	Software Discovery	Hornbill can search for installed applications such as WhatsApp.[1]
Mobile	T1409	Stored Application Data	Hornbill can collect voice notes and messages from WhatsApp, if installed.[1]
Mobile	T1513	Screen Capture	Hornbill can take screenshots and can abuse accessibility services to scrape WhatsApp messages, contacts, and notifications.[1]
Mobile	T1533	Data from Local System	Hornbill can access images stored on external storage.[1]
Mobile	T1636.002	Call Log Sub-technique	Hornbill can gather device call logs.[1]
Mobile	T1422.001	Internet Connection Discovery Sub-technique	Hornbill can collect a device's phone number and IMEI, and can check to see if WiFi is enabled.[1]
Mobile	T1626.001	Device Administrator Permissions Sub-technique	Hornbill can request device administrator privileges.[1]
Mobile	T1422.002	Wi-Fi Discovery Sub-technique	Hornbill can collect a device's phone number and IMEI, and can check to see if Wi-Fi is enabled.[1]
Mobile	T1512	Video Capture	Hornbill can access a device’s camera and take photos.[1]

Associated objects

Groups, software, and campaigns

G0142: Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Jun 9, 2023, 19:07 UTC (UTC+00:00)
Modified: Oct 7, 2023, 21:29 UTC (UTC+00:00)
Raw hash: da3a872bdef2896e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Oct 7, 2023, 21:29 UTC (UTC+00:00)	Current bundle	`da3a872bdef2…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
lookout_hornbill_sunbird_0221

Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.
Open source URL
[2]
mitre-attack S1077
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams