Back in 2017, the Indian Computer Emergency Response Team (CERT-IN) discovered the existence of GravityRAT spyware. The spyware, believed to be operated by Pakistani hacker groups, seems to have made a comeback with support for multiple platforms.
GravityRAT is known to be in existence since 2015. While GravityRAT previously targeted just Windows PCs, the latest detection by the researchers at Kaspersky has found that the remote access trojan now affects Android and macOS as well.
The Android version of GravityRAT spyware was spotted on an altered version of an open-source travel app named Travel Mate. The attackers altered the app by adding malicious code and released it under the name ‘Travel Mate Pro’. Similarly, the attackers created an adult comics Android app to spread the malware. On macOS, the malicious actors operate the malware through apps named Enigma and Titanium.
Below are the capabilities of GravityRAT, as detailed by Kaspersky researchers:
- get information about the system
- search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
- get a list of running processes
- intercept keystrokes
- take screenshots
- execute arbitrary shell commands
- record audio (not implemented in this version)
- scan ports
“Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible,” said Tatyana Shishkova, security expert at Kaspersky.