Woburn, MA – October 19, 2020 – Kaspersky has identified a previously unknown piece of Android spyware. Researchers found the malicious module inserted in a travel application for Indian users. A closer look revealed that it was related to GravityRAT, a spying Remote Access Trojan (RAT) known for carrying out activities in India. Further investigation confirmed that the group behind the malware had invested effort into making it into a multiplatform tool. In addition to targeting Windows operating systems, it can now be used on Android and MacOS. The campaign is still active.
In 2018, cybersecurity researchers published an overview of the developments of GravityRAT. The tool had been used in targeted attacks against Indian military services. According to Kaspersky’s data, the campaign has been active since at least 2015, focusing mainly on Windows operating systems. A couple of years ago, however, the situation changed, and the group added Android to the target list.
The identified module is further proof of this change, and there are a number of reasons why it doesn’t look like a typical piece of Android spyware. For one, a specific application has to be selected to carry out malicious purposes, and the malicious code – as is often the case – is not based on the code of previously known spyware applications. This motivated Kaspersky researchers to compare the module with already known APT families.
Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT. Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android.
The list of enabled functions in most cases was quite standard for spyware. The modules can retrieve device data, contact lists, email addresses, call logs, and SMS messages. Some of the Trojans were also searching for files with .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus extensions in a device's memory to also send them to the C&C.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” said Tatyana Shishkova, security expert at Kaspersky. “Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”
To stay safe from spyware threats, Kaspersky recommends taking the following security measures:
For further details on the new exploits, read the full report on Securelist.
Kaspersky is a global cybersecurity company founded in 1997. Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative security solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection and a number of specialized security solutions and services to fight sophisticated and evolving digital threats. Over 400 million users are protected by Kaspersky technologies and we help 250,000 corporate clients protect what matters most to them. Learn more at www.kaspersky.com.
Sawyer Van Horn