Infamous spyware GravityRAT has now become multi-platform and is alive and kicking
Earlier, the spying Remote Access Trojan (RAT) targeted Windows operating systems. Now, it can be used on Android and macOS as well and is well and active.
Kaspersky has managed to identify a previously unknown Android spyware that was a malicious module inserted into travel applications of Indian users. The spyware turned out to be related to GravityRAT which is a spying Remote Access Trojan (RAT) that's known for carrying out activities in India.
Further investigations revealed that the group behind this malware has now made it into a multi-platform tool. The spyware earlier targeted Windows operating systems, it can now be used on Android and macOS as well. And the campaign is still alive and active.
GravityRAT was first identified in 2018 and its developments were published by cybersecurity researchers. The spyware was used in targeted attacks against the Indian military services. As per Kaspersky data, the campaign has been active since at least 2015, mainly focussing on Windows operating systems. A couple of years ago, however, the situation changed, and the group added Android to the target list.
The recently identified module was further proof of this change, and there were a number of reasons why it didn't look like a typical piece of Android spyware. For instance, a specific application has to be selected to carry out malicious purposes, and the malicious code and that was not based on the code of previously known spyware applications. This got Kaspersky researchers to compare the module with already known APT families.
Analysis of the command and control (C&C) addresses used, revealed several additional malicious modules, also related to the actor behind GravityRAT, Kaspersky explained in a report.
Overall, more than 10 versions of GravityRAT were found that were being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users' devices from encrypting Trojans or media players.
Used together, these modules enabled the group to tap into Windows OS, macOS, and Android.
The list of enabled functions in most cases was quite standard and typically expected for spyware. The modules can retrieve device data, contact lists, email addresses, call logs, and SMS messages. Some of the Trojans were also searching for files with .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus extensions in a device's memory to also send them to the C&C.
You can read the full report here.