New variants of the Windows GravityRAT spyware were discovered by security researchers which could now also infect Android and macOS devices.
GravityRAT is a malware strain that checks the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.
The GravityRAT malware Access Trojan (RAT) which is under development at least since 2015 is believed to be the work of Pakistani hacker groups.
The malware was first spotted by Cisco Talos in 2017 when it was used by an APT group targeting India. Unlike the earlier variants that focused on Windows, the new samples analyzed by Kaspersky researchers was able to infect macOS and Android devices.
In order to make the apps look more convincing, the criminals started using digital signatures also.
The Android GravityRAT sample was found in 2019, on VirusTotal when the hackers added a spy module to Travel Mate, an Android app for travelers to India.
The infected app could steal contacts, emails, and documents from the device and send them back to the command-and-control server. The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.
The spyware could get information about the system and support several features such as
- search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
- get a list of running processes
- intercept keystrokes
- take screenshots
- execute arbitrary shell commands
- record audio (not implemented in this version)
- scan ports
The malware was distributed through applications that clone legitimate apps acting as downloader for the GravityRAT payloads.
The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework.
According to the researchers the malware was employed in around 100 successful attacks between 2015 and 2018 and targeted employees at defense, police, and other departments and organizations.
The victims were tricked to install the malicious app disguised as a secure messenger. The attackers contacted the victims through a fake Facebook account.