A new strain of the GravityRAT malware, previously thought only to affect Windows machines, has crossed over to infect Android and macOS devices. The remote access trojan has been traced to Pakistani hacker groups and has been used to target Indian military services.
The malware exploit has been active since at least 2015, but it is only within the last couple of years that it has begun targeting Android devices. Now it’s clear that GravityRAT, of which there are more than 10 different versions in circulation, can also impact products running a Mac operating system.
“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities,” said Tatyana Shishkova, a security expert at Kaspersky. “Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the [Asia-Pacific] region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible.”
A RAT trap
A Kaspersky analysis of an Android travel app for the Indian market found that it contained a malicious module based on the GravityRAT malware. The module was capable of stealing user data, including email addresses, SMS messages, call logs, contact lists and documents.
Threat actors are also now including digital signatures within these malicious applications in order to make them appear legitimate. In some cases, the apps are designed to look like clones of authentic pieces of software.
Between 2015 and 2018, approximately 100 successful exploits were completed using the GravityRAT malware, with numerous public sector workers tricked into downloading the trojan under the pretence that they were installing a secure messenger platform.