Kaspersky detected a previously unknown piece of Android spyware. This malicious section was introduced in a travel app for Indian users.
A closer look revealed that it relates to “GravityRAT”, a spy “Remote Access Trojan (RAT)” known for conducting activities in India.
Further research confirmed that the team behind the malware invested in creating a multi-platform tool; in addition to targeting “Windows” operating systems, it can now be used on “Android“ and “Mac OS”. The campaign is still active.
In 2018, an overview of “GravityRAT” developments was published by digital security researchers; the tool was used in targeted attacks against Indian military agencies; according to Kaspersky data, the campaign has been active since at least 2015, focusing mainly on “Windows” operating systems. A few years ago, however, the situation changed and the team added “Android” to the list of targets.
The recognized module was yet another proof of this change, and there were several reasons why it doesn’t look like a typical “Android spyware” track. For example, a specific application must be selected for malicious purposes and the malicious code -as is often the case- was not based on the code of previously known spyware applications. This prompted Kaspersky researchers to compare the unit with already known APT families.
Analysis of the command and control (C&C) addresses used revealed many additional malicious modules that are also related to the vector behind “GravityRAT”. More than 10 versions of “GravityRAT” were found, which were distributed under the guise of legitimate applications, such as secure file-sharing applications that would help protect users’ devices from “Trojans” encryption, or media players. Simultaneous use of these modules allowed the team to utilize the “Windows”, “Mac OS” and “Android” operating systems.
The list of enabled functions in most cases was fairly standard and usually expected for spyware. Modules can retrieve device data, contact lists, “email” addresses, call logs, and “SMS” messages. Some of the “Trojans” also searched for files with “.jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx” and “.opus” extensions in the memory of a device to also send them to C&C.
(Συνολικές Επισκέψεις: / Total Visits: 15)
(Σημερινές Επισκέψεις: / Today's Visits: 1)