Kaspersky has identified a new piece of Android spyware related to GravityRAT. The spyware has undergone several updates and is now multiplatform. Kaspersky has identified versions that run on Android, Windows and macOS. The spyware is embedded in a number of different apps, and the sites distributing it are using Cloudflare to mask their IP.
The technical details of this new version of GravityRAT were posted in a blog on Securelist by Tatyana Shishkova. Shishkova said: “Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities. Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead of in an attempt to be as successful as possible.”
Who is GravityRAT targeting and how?
The original version of GravityRAT targeted the Indian armed forces and is believed to have been created by Pakistani hacking groups. Now that the app is embedded inside an app used by travellers to India, the group may be looking for new targets.
The spyware is hidden as a module inside apps, making it hard to detect. The latest app that Shishkova identifies as affected is Travel Mate. It is an Android app used by travellers to India, and whose source code is available on GitHub. It seems that the group behind GravityRAT has added their code and released it as Travel Mate Pro.
By comparing the original code for Travel Mate with Travel Mate Pro, it was possible to spot the malicious code. That code looks for a range of documents and data which it then exfiltrates to a command and control (C&C) server.
Distribution seems to be through a targeted phishing campaign over Facebook. To reduce the chance of infection, a wide range of apps have been infected and contain the GravityRAT code. With such a spread of infected apps, it is likely the attackers have done some recon on their victims. They will certainly have spent time looking at the victims’ Facebook profile to see what appeals to them the most.
What other apps were found?
Shishkova explains how the C&C addresses used made it possible to track other apps. They are also using different frameworks and languages to write the apps such as .NET, Python and Electron. The apps are also digitally signed with valid signatures, making them appear more legitimate.
Among the apps that Shishkova says Kaspersky identified as containing GravityRAT were:
- Enigma: A file-sharing app that claims to protect against ransomware
- WeShare: A file transfer app
- MelodyMate – Signed by E-Crea
- StrongBox – Signed by E-Crea
- TeraSpace – Signed by E-Crea
- CyStyler – Signed by E-Crea
- SavitaBhabi: Written by the attackers and promoted as an adult comic strip. Malicious functionality is identical to Travel Mate Pro
A complete list is contained in the Securelist blog where 28 apps and their MD5 hashes are listed. The blog also contains a list of URLs from which the apps are distributed.
Enterprise Times: What does this mean
Cross-platform malware is not uncommon, especially in the mobile space. However, targeting Windows, macOS and Android, means a lot of work for the authors. It may seem surprising that iOS was not mentioned in the blog, but Android dominates the Indian mobile phone space. As such, the authors might well have decided not to bother with it for now.
The use of so many apps is interesting. It might simply be about obfuscating the apps in use. Alternatively, it could be a ploy to find different areas of interest that would appeal to different targets. Signing the apps with valid certificates to make them appear legitimate is also a novel twist. Another twist is using Cloudflare to mask the IP of the sites distributing GravityRAT infected software.
What Kaspersky has not said is if it believes this is a state-sponsored group. With targets that include Indian military and government employees, it fits the profile. However, without more information to verify other attacks and behaviours, Kaspersky may not have enough data.