Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S1082: Sunbird

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.[1]

MobileS1082MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Sunbird matters because it represents Android spyware behavior with a broad collection profile: device discovery, local and application data access, contact/calendar/call log collection, location tracking, audio/video/screen capture, archiving, tool transfer, shell execution, device administrator abuse, and exfiltration over a command-and-control channel. For leaders, the practical issue is not just “malware on a phone”; it is whether mobile devices used by executives, field staff, government-facing teams, or sensitive operations can leak communications, location, media, and business context without the same visibility applied to endpoints.

Executive priority

Prioritize Sunbird as a mobile security and incident-readiness validation case for Android environments handling sensitive communications or personnel movement. The ATT&CK relationship to Confucius, a group described as targeting military personnel, high-profile personalities, business persons, and government organizations in South Asia, makes this especially relevant for travel risk, executive protection, government engagement, and bring-your-own-device governance. Executives should ask whether mobile telemetry, app permission governance, device administrator monitoring, and incident response procedures are mature enough to prove what data a compromised Android device could expose.

Technical view

SOC, detection engineering, and IR teams should map Sunbird coverage across its ATT&CK relationships rather than relying on a single malware signature. Validate Android visibility for suspicious use of sensitive permissions and APIs associated with stored application data, installed application enumeration, system and network discovery, microphone, camera, screen capture, location, calendar, call log, contacts, local file access, archive creation, inbound tool/file transfer, Unix shell use, device administrator permission abuse, and C2-based exfiltration. Because ATT&CK provides no official detection text for this object and no tactics are specified, teams should build coverage around the related techniques and local mobile device management, mobile threat defense, network, and incident-response evidence sources.

Likely telemetry

  • Android application inventory and package metadata
  • Application permission requests and grants, especially microphone, camera, location, contacts, calendar, call log, storage, screen capture, and device administrator privileges
  • Mobile device management or enterprise mobility management compliance state
  • Mobile threat defense alerts and behavioral findings
  • Android device logs where available, including app install/update/removal and administrative privilege changes

Detection direction

  • Start with permission and behavior correlation: sensitive permission use becomes more material when paired with discovery, local data access, archiving, or unusual outbound communications.
  • Tune for context, because many permissions such as contacts, calendar, location, microphone, and camera can be legitimate for business apps; prioritize unexpected apps, sideloaded apps, rarely used apps, or apps inconsistent with business function.
  • Validate monitoring for Android device administrator permission changes, as this relationship can affect removal difficulty and device control.
  • Check whether mobile network telemetry can associate traffic with device and application identity; without that linkage, C2-channel exfiltration may be difficult to investigate.
  • Confirm whether screen capture and MediaProjection-style activity are visible in the managed fleet; this is a common blind spot compared with traditional endpoint monitoring.

Mitigation priorities

  • Inventory Android devices and define which populations require managed mobile controls, especially executives, travelers, and users handling sensitive communications.
  • Enforce application governance: restrict untrusted app sources where appropriate, review installed applications, and remove apps inconsistent with business need.
  • Apply least-privilege permission practices for mobile apps, with special scrutiny on microphone, camera, location, contacts, calendar, call log, storage, screen capture, and device administrator permissions.
  • Use mobile device management or equivalent controls to maintain patch posture, enforce compliance, and support rapid containment or wipe decisions when policy allows.
  • Prepare IR playbooks for suspected Android spyware that include preservation limits, device isolation, account/token review, and assessment of exposed contacts, messages, files, location, and media.
Analyst notes and limits

This take is based on ATT&CK software S1082 Sunbird, its official description, the Lookout external reference cited by ATT&CK, and the supplied relationships. ATT&CK states Sunbird is one of two mobile malware families known to be used by Confucius and that analysis suggests activity began in early 2017. The relationship set indicates extensive Android-relevant collection, discovery, execution, privilege, staging, transfer, and exfiltration behaviors.

ATT&CK provides no official detection guidance, no tactics for this object in the supplied fields, and no aliases or labels. This summary does not assess current activity, customer exposure, specific indicators, or guaranteed detection. Local device management architecture, Android version mix, app inventory, telemetry access, and legal/privacy constraints will determine what can actually be monitored or investigated.

Official MITRE ATT&CK definition

Sunbird

Sunbird is one of two mobile malware families known to be used by the APT Confucius. Analysis suggests that Sunbird was first active in early 2017. While Sunbird and Hornbill overlap in core capabilities, Sunbird has a more extensive set of malicious features.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

17 rows
Domain ID Name Relationship / procedure
Mobile T1422 System Network Configuration Discovery

Sunbird can exfiltrate phone number and IMEI.[1]
Mobile T1623.001 Unix Shell Sub-technique

Sunbird can try to run arbitrary commands as root.[1]
Mobile T1429 Audio Capture

Sunbird can record environmental and call audio.[1]
Mobile T1513 Screen Capture

Sunbird can take screenshots and abuse accessibility services to scrape BlackBerry Messenger and WhatsApp messages, contacts, and notifications[1]
Mobile T1626.001 Device Administrator Permissions Sub-technique

Sunbird can request device administrator privileges. [1]
Mobile T1533 Data from Local System

Sunbird can access images stored on external storage.[1]
Mobile T1426 System Information Discovery

Sunbird can exfiltrate the victim device ID, model, manufacturer, and Android version.[1]
Mobile T1430 Location Tracking

Sunbird can access a device’s location.[1]
Mobile T1636.002 Call Log Sub-technique

Sunbird can exfiltrate call logs.[1]
Mobile T1636.003 Contact List Sub-technique

Sunbird can exfiltrate a device's contacts.[1]
Mobile T1544 Ingress Tool Transfer

Sunbird can download adversary specified content from FTP shares.[1]
Mobile T1409 Stored Application Data

Sunbird can exfiltrate browser history, BlackBerry Messenger files, IMO instant messaging content, and WhatsApp voice notes.[1]
Mobile T1418 Software Discovery

Sunbird can exfiltrate a list of installed applications.[1]
Mobile T1646 Exfiltration Over C2 Channel

Sunbird can exfiltrate compressed ZIP files containing gathered info to C2 infrastructure.[1]
Mobile T1532 Archive Collected Data

Sunbird can exfiltrate collected data as a ZIP file.[1]
Mobile T1512 Video Capture

Sunbird can access a device’s camera and take photos.[1]
Mobile T1636.001 Calendar Entries Sub-technique

Sunbird can exfiltrate calendar information.[1]
Associated objects

Groups, software, and campaigns

Group Mobile

G0142: Confucius

Confucius is a cyber espionage group that has primarily targeted military personnel, high-profile personalities, business persons, and government organizations in South Asia since at least 2013. Security researchers have noted similarities between Confucius and Patchwork, particularly in their respective custom malware code and targets.[1][2][3]

Relationship explorer

All related ATT&CK context

uses · Technique T1422: System Network Configuration Discovery Mobile uses · Technique T1623.001: Unix Shell Mobile uses · Technique T1429: Audio Capture Mobile uses · Technique T1513: Screen Capture Mobile uses · Technique T1626.001: Device Administrator Permissions Mobile uses · Technique T1533: Data from Local System Mobile uses · Technique T1426: System Information Discovery Mobile uses · Group G0142: Confucius Mobile uses · Technique T1430: Location Tracking Mobile uses · Technique T1636.002: Call Log Mobile uses · Technique T1636.003: Contact List Mobile uses · Technique T1544: Ingress Tool Transfer Mobile uses · Technique T1409: Stored Application Data Mobile uses · Technique T1418: Software Discovery Mobile uses · Technique T1646: Exfiltration Over C2 Channel Mobile uses · Technique T1532: Archive Collected Data Mobile uses · Technique T1512: Video Capture Mobile uses · Technique T1636.001: Calendar Entries Mobile
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
31b6e569557fe362...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 31b6e569557f…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    lookout_hornbill_sunbird_0221

    Apurva Kumar, Kristin Del Rosso. (2021, February 10). Novel Confucius APT Android Spyware Linked to India-Pakistan Conflict. Retrieved June 9, 2023.

    Open source URL
  2. [2]
    mitre-attack S1082
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use