Application Security , Next-Generation Technologies & Secure Development

Fresh GravityRAT Variants Target Android and Mac Systems

Kaspersky: Spyware Mainly Targets Victims in India
Fresh GravityRAT Variants Target Android and Mac Systems
Image shows Travel Mate application for Android devices that hides the GravityRAT spyware (Source: Kaspersky)

Researchers at Kaspersky have uncovered several fresh variants of GravityRAT spyware that are now capable of attacking not only Windows but also Android and macOS devices.

See Also: Building Better Security Operations Centers With AI/ML

When GravityRAT was first spotted in 2015, the remote access Trojan was Windows-centric and primarily used to target the Indian military, hitting at least 100 targets, according to Kaspersky. The new variants, however, are designed to target consumers in India by using a fake travel app to spread the spyware.

The first of these new variants was uncovered by Kaspersky researchers in 2019, but others were uncovered throughout this year. And the researchers recently linked all of them to the operators behind GravityRAT, according to the report.

One of the newer GravityRat variants was installed in what was portrayed to be an Android travel application called Travel Mate Pro, which spoofs a legitimate travel app named Travel Mate. When researchers examined the code they found it to be a variant of GravityRAT. Further analysis found at least 10 more variants operating in the wild either masquerading as legitimate apps or as malicious links in social media posts that were sent to potential victims, according to the report.

"Victims were contacted through a fake Facebook account and asked to install a malicious app disguised as a secure messenger in order to continue the conversation," the report states.

Tatyana Shishkova, a security expert at Kaspersky, points out that the malicious mobile version is not distributed through the Google Play Store. Attackers may distribute it by using social engineering to lure victims to specially created websites where they can access the malicious links.

The variants of the GravityRAT use a variety of code languages, including Python, .NET and C+, the Kaspersky report finds.

"Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible," Shishkova tells Information Security Media Group.

Travel App Trap

The spyware found in Travel Mate Pro sends device data, contact lists, e-mail addresses, and call and text logs to its command-and-control server. It also searches the device for files and on connected media with the extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus and then exfiltrates the content.

Shishkova says that while the malware's primary purpose is data gathering, the operators behind the spyware have also included newer functionality. This includes a feature that allows the malware to act as a backdoor or to execute arbitrary commands on the infected machine and download and start any other modules.

Connection to Pakistan?

The hacking group behind this malware is believed to have connections to Pakistan, according to a 2018 report by Cisco Talos.

A 2019 article in the Times of India also tied GravityRAT to a Pakistani hacking group that attempted to install the spyware on devices belonging to members of the Indian army, air force, navy, paramilitary forces and police officers.

Warnings About Apps

While the GravityRAT spyware was not hidden in apps available in the Google Play Store, security researchers are warning about more malware creeping into official apps stores as well as malicious code found in unofficial third-party stores.

In September, for instance, security firms Zscaler and Zimperium each published reports that found so-called Joker malware that targets Android users had been found in Google Play as well as third-party app stores (see: Fresh Joker Malware Variant Targeting Android Users ).

About the Author

Chinmay Rautmare

Chinmay Rautmare

Senior Correspondent

Rautmare is senior correspondent on Information Security Media Group's Global News Desk. He previously worked with Reuters News, as a correspondent for the North America Headline News operations and reported on companies in the technology, media and telecom sectors. Before Reuters he put in a stint in broadcast journalism with a business channel, where he helped produced multimedia content and daily market shows. Rautmare is a keen follower of geo-political news and defense technology in his free time.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.