By ; Mohamed El Khouly – Adel Farig
Kaspersky has identified a previously unknown piece of Android spyware. This malicious module was inserted into a travel application for Indian users. A closer look revealed that it was related to GravityRAT, a spying Remote Access Trojan (RAT) known for carrying out activities in India. Further investigation confirmed that the group behind the malware invested effort into making a multiplatform tool. In addition to targeting Windows operating systems, it can now be used on Android and Mac OS. The campaign is still active.
In 2018, an overview into the developments of GravityRAT was published by cybersecurity researchers. The tool was used in targeted attacks against Indian military services. According to Kaspersky’s data, the campaign has been active since at least 2015, being mainly focused on Windows operating systems. A couple of years ago, however, the situation changed, and the group added Android to the target list.
The identified module was yet further proof of this change, and there were a number of reasons why it didn’t look like a typical piece of Android spyware. For instance, a specific application has to be selected to carry out malicious purposes, and the malicious code - as is often the case - was not based on the code of previously known spyware applications. This motivated Kaspersky researchers to compare the module with already known APT families.
Analysis of the command and control (C&C) addresses used, revealed several additional malicious modules, also related to the actor behind GravityRAT. Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, Mac OS, and Android.
The list of enabled functions in most cases was quite standard and typically expected for spyware. The modules can retrieve device data, contact lists, email addresses, call logs, and SMS messages. Some of the Trojans were also searching for files with .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus extensions in a device's memory to also send them to the C&C.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities. Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead in an attempt to be as successful as possible,” comments Tatyana Shishkova, security expert at Kaspersky.