The GravityRAT remote access trojan has been updated by its developers and is spreading under the disguise of a chat application, SoSafe Chat. This RAT is thought to be developed by Pakistani actors and is targeting Indian users in the recent campaign.
What has happened?
Cyble has identified a recent campaign targeting high-profile individuals in India, by distributing a new variant of GravityRAT.
The examination of the source code of the app disclosed the website (sosafe[.]co[.]in) being used by the attackers. The site is still online, however, the download link is not functional and the registration option is disabled.
It seems that the attacker behind the recent camping used the site to spread the malware using malvertising campaigns or links shared in chat messages and social media posts.
The malware requests 42 distinct permissions. Out of these, the attackers could abuse 13 permissions to perform various actions, including reading mobile data and obtaining the device’s location, among others.
Additional insights
Reports suggest that the earlier variants of the RAT were targeting Windows machines, while this one has several capabilities to target mobile devices.
The RAT is now updated with audio record and location fetching features, along with cellular network data exfiltration.
It now steals sensitive information such as SMSes, call logs, files, and records audio without the user’s knowledge.
Last year, the malware was targeting users using an Android app named Travel Mate Pro.
Conclusion
The return of GravityRAT shows that the authors behind this malware were active behind the scene and were updating it constantly. The new features are mostly designed to target mobile device users. Therefore, experts suggest users stay vigilant regarding apps downloaded from an untrusted or third-party source.