The analysis of the command and control addresses used made it possible to discover further harmful modules, also attributable to the author of GravityRAT.
Kaspersky has identified a previously unknown malicious spyware module for Android embedded within a travel application for Indian users. A deeper analysis revealed that the module was linked to GravityRAT, a Remote Access Trojan (RAT) known for conducting some operations in India. Further investigations confirmed that the group behind the malware has created a cross-platform tool that, in addition to targeting Windows operating systems, can be used on Android and Mac OS. The campaign is still active.
How the new GravityRAT spyware works
In 2018, cybersecurity researchers published a report on the developments of GravityRAT, a tool used in targeted attacks against the Indian military services. According to data collected by Kaspersky, the campaign has been running since at least 2015 and focuses mainly on Windows operating systems. However, for about two years now, the criminal group has been adding Android to the target list.
Further proof of this change is represented by the module identified, which does not have the typical characteristics of a spyware for Android. For example, a specific application must be selected to conduct a malicious activity, and the malicious code , as is often the case, was not based on the code of previously known spyware applications. This prompted Kaspersky researchers to compare the identified module with already known APT families.
The analysis of the command and control addresses (C&C) used made it possible to discover further harmful modules, also attributable to the author of GravityRAT. Overall, more than 10 versions of GravityRAT have been identified, distributed using the name of legitimate applications such as secure file sharing applications that help protect users’ devices from encryption by trojans, or media players. These modules, used together, have allowed the group to penetrate the Windows, Mac OS and Android operating systems.
The list of enabled functions, in most cases, was standard and typical of spyware. The modules were able to retrieve device data, contact lists, email addresses, call logs and SMS messages. Some Trojans also searched for files with the extension .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx and .opus in memory of the device to also send them to the command and control server (C&C).
How to defend against GravityRAT
To protect against spyware threats , Kaspersky recommends providing the Security Operation Center (SOC) team with access to the latest threat intelligence (TI). Implement reliable EDR solutions for endpoint detection, investigation and early recovery from incidents. Then use an endpoint security solution with a mobile application control to protect corporate devices, including Android ones, from malicious applications. This solution ensures that only legitimate applications from an approved whitelist can be installed on devices that have access to sensitive corporate data.