First spotted in 2017, the GravityRAT trojan is operated by Pakistani threat actors and targets individuals in India. The current campaign is disguising itself as a messenger app called SoSafe Chat. After a review of the source code, researchers discovered a site created and used by the threat actors to distribute the malware through malvertising campaigns or through links shared via social media. The website is still online, but the download link is no longer working, and the registration option is not allowed. Research also reveals that while GravityRAT requests 42 different permissions, it only needs to abuse 13 to be able to:
- Read SMS, call logs, and contacts data.
- Change or modify system settings.
- Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device.
- Read or write the files on the device’s external storage.
- Record audio.
- Gets connected network information.
- Get the device’s location.