Woburn, MA – October 19, 2020 – Kaspersky has identified a previously unknown piece of Android spyware. Researchers found the malicious module inserted in a travel application for Indian users. A closer look revealed that it was related to GravityRAT, a spying Remote Access Trojan (RAT) known for carrying out activities in India. Further investigation confirmed that the group behind the malware had invested effort into making it into a multiplatform tool. In addition to targeting Windows operating systems, it can now be used on Android and MacOS. The campaign is still active.

In 2018, cybersecurity researchers published an overview of the developments of GravityRAT. The tool had been used in targeted attacks against Indian military services. According to Kaspersky’s data, the campaign has been active since at least 2015, focusing mainly on Windows operating systems. A couple of years ago, however, the situation changed, and the group added Android to the target list.

The identified module is further proof of this change, and there are a number of reasons why it doesn’t look like a typical piece of Android spyware. For one, a specific application has to be selected to carry out malicious purposes, and the malicious code – as is often the case – is not based on the code of previously known spyware applications. This motivated Kaspersky researchers to compare the module with already known APT families.

Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT. Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android.

The list of enabled functions in most cases was quite standard for spyware. The modules can retrieve device data, contact lists, email addresses, call logs, and SMS messages. Some of the Trojans were also searching for files with .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus extensions in a device’s memory to also send them to the C&C.

“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” said Tatyana Shishkova, security expert at Kaspersky. “Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”

To stay safe from spyware threats, Kaspersky recommends taking the following security measures:

• Provide your SOC team with access to the latest threat intelligence (TI). The Kaspersky Threat Intelligence Portal grants access to the company’s TI, providing cyberattack data and insights gathered by Kaspersky for more than 20 years.

• For endpoint level detection, investigation and timely remediation of incidents, implement reliable EDR solutions, such as Kaspersky Endpoint Detection and Response.

• To protect corporate devices, including those on Android, from malicious applications, use an endpoint security solution with a mobile application control. This can make sure that only trusted applications from an approved whitelist can be installed on devices that have access to sensitive corporate data.

For further details on the new exploits, read the full report on Securelist.