GravityRAT malware returns to haunt Android, Windows, Mac users

by chebbi abir

Remote Access Trojan (RAT) infamous for attacking the Indian military is now attacking multiple platforms

Kaspersky has identified a previously unknown piece of Android spyware, which seems to have returned to users on the Android platform.

It resurfaced when a malicious module was inserted into a travel application in India. On closer investigation it related to GravityRAT, a spying Remote Access Trojan (RAT) known for carrying out activities in India.

Further investigation confirmed that the group behind the malware invested effort into making a multiplatform tool. In addition to targeting Windows operating systems, it can now be used on Android and Mac OS. The campaign is still active.


The origin of GravityRAT goes back to 2018, when developments of the malware were published by cybersecurity researchers.

The tool targeted the Indian military services and according to Kaspersky’s data, the campaign has been active since at least 2015.

The identified module was yet further evidence of this change, and for more reasons than one it did not look like a typical piece of Android spyware.


Analysis of the command and control (C&C) addresses used, revealed several additional malicious modules, also related to the actor behind GravityRAT.

Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players. Used together, these modules enabled the group to tap into Windows OS, Mac OS, and Android.

The modules can retrieve device data, contact lists, email addresses, call logs, and SMS messages. Some of the Trojans were also searching for files with .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus extensions in a device’s memory to also send them to the C&C.

Tatyana Shishkova, security expert at Kaspersky said: “Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities. Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead in an attempt to be as successful as possible.”

To read the original article:


Interdit de copier  ce contenu