First spotted in 2017, the GravityRAT trojan is operated by Pakistani threat actors and targets individuals in India. The current campaign is disguising itself as a messenger app called SoSafe Chat. After a review of the source code, researchers discovered a site created and used by the threat actors to distribute the malware through malvertising campaigns or through links shared via social media. The website is still online, but the download link is no longer working, and the registration option is not allowed. Research also reveals that while GravityRAT requests 42 different permissions, it only needs to abuse 13 to be able to:
- Read SMS, call logs, and contacts data.
- Change or modify system settings.
- Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device.
- Read or write the files on the device’s external storage.
- Record audio.
- Gets connected network information.
- Get the device’s location.
Analyst Notes
There are steps that users can take to reduce the risk of infection from malicious applications. The primary recommendation is to only download applications from trusted sources and to read reviews prior to downloading. Other recommendations include:
• Regularly update device software.
• Setup cloud accounts using email addresses that offer account recovery support.
• If using public WiFi, make sure to connect to a virtual private network (VPN).
• Avoid clicking on suspicious links or downloading attachments from unknown sources.
• Use an antivirus solution with real-time protection.
• Utilize a firewall solution.
• Backup data regularly.
https://securityaffairs.co/wordpress/124562/malware/gravityrat-returns.html?web_view=true
https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html
