GravityRAT Returns Targeting Android and MacOS Too
In 2018, researchers at Cisco Talos published a report on the spyware GravityRAT, used to target the Indian armed forces. The Indian Computer Emergency Response Team (CERT-IN) first discovered the Trojan in 2017. It's authors are believed to be hacker groups based in Pakistan. According to researchers, the campaign has been active since at least 2015, and previously targeted Windows machines. Kaspersky researchers found updated GravityRAT code. Further investigation confirmed that the group behind the GravityRAT malware turned it into a multi-platform tool that targets Android and MacOS. The malware is capable of retrieving device data, contact lists, email addresses, call logs and SMS messages and can exfiltrate various types of documents and files.
Kaspersky researchers observed a piece of malicious code inserted in an Android travel application for Indian users. Researchers were able to determine that the malware module was a relative of GravityRAT. Analysis of the command-and-control (C2) addresses the module used revealed several additional malicious modules, also related GravityRAT. The analysis turned up more than 10 new versions of GravityRAT, all distributed within trojanized applications including fake, secure file-sharing applications or media players. These modules give it a multi-platform code base that enables the group to tap into Windows, MacOS and Android.
The hackers also started using digital signatures to make the apps look legitimate. Once installed, the spyware receives commands from the server. Commands include Get-command information about the system, ability to upload files to the server, capture keystrokes, take screenshots and execute arbitrary shell commands. The campaign mainly targets victims in India. Kaspersky also believes that the malware is spreading in the same way that older versions did through social media, where targeted individuals are sent links pointing to malicious apps.
The hackers behind GravityRAT are continuing to invest in its spying capacities. They are getting better at disguising the malware. With it's expanding OS portfolio, we can expect more incidents with this malware. This is part of a wider trend that hackers aren't just focused on developing new malware, but developing proven ones too. Security experts recommend never downloading apps from third party sources or links to prevent infections.