Jump to content

Windows GravityRAT malware now also targets Android, macOS

Recommended Posts

GravityRAT, a malware strain known for checking the CPU temperature of Windows computers to detect virtual machines or sandboxes, is now multi-platform spyware as it can now also be used to infect Android and macOS devices.




The GravityRAT Remote Access Trojan (RAT) has been under active development by what looks like Pakistani hacker groups since at least 2015 and has been deployed in targeted attacks against Indian military organizations.

New versions infect Android and macOS devices

While the malware authors previously focused their efforts on targeting Windows machines, a sample discovered by Kaspersky researchers last year shows that they are now adding macOS and Android support.


They are now also signing their code using digital signatures to make their booby-trapped apps look legitimate.


The updated RAT sample was detected while analyzing an Android spyware app (i.e., Travel Mate Pro) that steals contacts, emails, and documents which get sent to the nortonupdates[.]online command-and-control server also used by two other malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.


Spyware malware dropped by these malicious apps on infected devices runs multiplatform code and it allows attackers to send commands to:

  • get information about the system
  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • record audio (not implemented in this version)
  • scan ports


"Analysis of the command and control (C&C) addresses module used revealed several additional malicious modules, also related to the actor behind GravityRAT," researchers at Kaspersky found.


"Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users’ devices from encrypting Trojans, or media players.


"Used together, these modules enabled the group to tap into Windows OS, MacOS, and Android."

Delivered via links to booby-trapped apps

Kaspersky has also found applications developed in .NET, Python, and Electron, often as clones of legitimate apps, that will download GravityRAT payloads from the C&C server and add a scheduled task on the infected device to gain persistence.


Roughly 100 successful attacks using this RAT were detected between 2015 and 2018, with defense and police employees getting infected after being tricked via Facebook to install a "secure messenger" according to reports.


While the infection vector in the case of these updated samples remains unknown, Kaspersky says that targets are probably being sent download links to the malicious apps just as it happened in the past.


"Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities," Kaspersky security expert Tatyana Shishkova said.


"Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible."



  • Like 2
Link to post
Share on other sites
  • Replies 2
  • Created
  • Last Reply

Top Posters In This Topic

  • steven36


  • Sylence


Popular Days

Top Posters In This Topic

Popular Posts

GravityRAT, a malware strain known for checking the CPU temperature of Windows computers to detect virtual machines or sandboxes, is now multi-platform spyware as it can now also be used to infect And

Every new malware that's being found is by Kaspersky. That's the name I'm hearing all the time. they're doing a great job, and then some government label them as unsafe. Lol that explains everything.


if you don't have any enemies, you're doing something wrong :) 

Link to post
Share on other sites

That dont make no sense because everybody has enemies  these  old methods of detecting malware for the app  is ok but not effective against attacks in the service itself you need  AI  to detect Phishing .:rofl:

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...