Menu

  • Alerts
  • Incidents
  • News
  • APTs
  • Cyber Decoded
  • Cyber Hygiene
  • Cyber Review
  • Cyber Tips
  • Definitions
  • Malware
  • Threat Actors
  • Tutorials

Useful Tools

  • Password generator
  • Report an incident
  • Report to authorities
No Result
View All Result
CTF Hack Havoc
CyberMaterial
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
Hall of Hacks
  • Education
    • Cyber Decoded
    • Definitions
  • Information
    • Alerts
    • Incidents
    • News
  • Insights
    • Cyber Hygiene
    • Cyber Review
    • Tips
    • Tutorials
  • Support
    • Contact Us
    • Report an incident
  • About
    • About Us
    • Advertise with us
Get Help
No Result
View All Result
Hall of Hacks
CyberMaterial
No Result
View All Result
Home Malware

GravityRat (Trojan) – Malware

June 14, 2024
Reading Time: 4 mins read
in Malware
GravityRat (Trojan) – Malware

GravityRat

Type of Malware

Trojan

Country of Origin

Pakistan

Date of initial activity

2015

Targeted Countries

India

Associated Groups

SpaceCobra

Motivation

Data Theft

Attack Vectors

Phishing

Targeted Systems

Android

Type of information Stolen

Communication Data

Overview

The Android GravityRAT spyware, a known threat in the cyber landscape since 2015, has recently undergone a significant upgrade, presenting new risks to Android users. ESET researchers have identified an evolved version of this malicious software, now specifically designed to target WhatsApp backup files. Distributed through seemingly legitimate apps like BingeChat and Chatico, this updated variant of GravityRAT showcases a more sophisticated approach to data theft and manipulation. The malware, initially documented in targeted attacks against India, has expanded its capabilities to include remote command execution, marking a notable escalation in its threat level. GravityRAT has historically been associated with high-profile cyber espionage campaigns, leveraging its remote access capabilities to exfiltrate sensitive information. The recent update introduces new features that not only allow the spyware to steal encrypted WhatsApp backup files but also to receive commands for deleting files from the compromised device. This advancement underscores a shift towards more targeted and destructive cyber operations, with the potential to impact users’ private communications and data significantly.

Targets

Individuals.

How they operate

Android GravityRAT has been distributed primarily through malicious versions of legitimate applications. A notable example is the BingeChat app, which masquerades as a free messaging service but carries the GravityRAT payload. Users are lured to download this app from a website that initially requires registration, indicating a targeted approach rather than broad-based attacks. The malicious app is a trojanized version of the open-source OMEMO Instant Messenger, cleverly leveraging the trust associated with legitimate software. This distribution method allows GravityRAT to bypass traditional app store vetting processes and reach specific high-value targets. Once installed, GravityRAT requests a range of permissions to blend seamlessly with the device’s normal operations. The app requests permissions typical for messaging applications, including access to contacts, call logs, and storage, which disguises its malicious intent. After installation, GravityRAT activates by registering with its command and control (C&C) server, initiating a constant exchange of data and commands. This communication is secured via HTTPS, adding a layer of obfuscation to the malware’s operations. GravityRAT’s core functionalities include extensive data collection and exfiltration. The malware extracts sensitive information such as call logs, SMS messages, contact lists, and files with specific extensions, including encrypted WhatsApp backups. It also tracks the device’s location, providing a comprehensive picture of the victim’s activities and communications. Notably, this version of GravityRAT has introduced new capabilities, such as receiving commands from the C&C server to delete files or specific data types, including call logs and contacts. This command-and-control functionality allows the malware to perform real-time operations and adjust its behavior based on the attacker’s needs. GravityRAT’s impact is multifaceted. By exfiltrating a broad range of personal and sensitive data, it poses a severe privacy risk to affected users. The malware’s ability to delete files and data remotely further enhances its utility for attackers seeking to cover their tracks or disrupt victim activities. From an evasion standpoint, GravityRAT employs several techniques to avoid detection. It utilizes standard app permissions to mask its malicious actions and deletes files from the device to remove traces of its presence. Additionally, the malware’s reliance on encrypted communication channels complicates efforts to intercept and analyze its traffic. Android GravityRAT represents a significant threat due to its sophisticated operation and advanced features. By distributing itself through seemingly legitimate applications and employing robust data collection and exfiltration mechanisms, it effectively targets high-value individuals and organizations. The malware’s ability to issue remote commands and delete critical data further underscores its potency as a tool for espionage and disruption. As GravityRAT continues to evolve, ongoing vigilance and advanced detection methods will be essential to mitigate its impact and safeguard user privacy.

MITRE Tactics and Techniques

Persistence T1398: Boot or Logon Initialization Scripts – GravityRAT registers a receiver for the BOOT_COMPLETED broadcast intent to activate upon device startup. T1624.001: Event Triggered Execution: Broadcast Receivers – GravityRAT can trigger its functionality based on various system events, such as USB device attachment, connectivity changes, and more. Defense Evasion T1630.002: Indicator Removal on Host: File Deletion – GravityRAT deletes local files that contain sensitive information to evade detection and mitigate exposure. Discovery T1420: File and Directory Discovery – GravityRAT enumerates files on external storage to find and exfiltrate data. T1422: System Network Configuration Discovery – It extracts network-related information such as IMEI, IMSI, IP address, phone number, and country. T1426: System Information Discovery – GravityRAT collects detailed device information, including SIM serial number and device ID. Collection T1533: Data from Local System – GravityRAT gathers files from the device, including specific file types and WhatsApp backups. T1430: Location Tracking – It tracks the device’s geographic location. T1636.002: Protected User Data: Call Logs – GravityRAT exfiltrates call logs. T1636.003: Protected User Data: Contact List – It extracts the contact list. T1636.004: Protected User Data: SMS Messages – GravityRAT collects SMS messages from the device. Command and Control T1437.001: Application Layer Protocol: Web Protocols – GravityRAT uses HTTPS to communicate with its command and control (C&C) servers. Exfiltration T1646: Exfiltration Over C2 Channel – Data is exfiltrated using HTTPS channels to the C&C server. Impact T1641: Data Manipulation – GravityRAT can delete specific files and remove call logs and contact lists from the device as part of its impact operations. References
  • Android GravityRAT goes after WhatsApp backups
  • Gravity RAT
Tags: Androidcyber landscapeESETGravityRATIndiaMalwarePakistanspywareTrojanWhatsapp
ADVERTISEMENT

Related Posts

Iranian Phishing Campaign (Scam) – Malware

Iranian Phishing Campaign (Scam) – Malware

March 2, 2025
Fake WalletConnect (Infostealer) – Malware

Fake WalletConnect (Infostealer) – Malware

March 2, 2025
SilentSelfie (Infostealer) – Malware

SilentSelfie (Infostealer) – Malware

March 2, 2025
Sniper Dz (Scam) – Malware

Sniper Dz (Scam) – Malware

March 2, 2025
TikTok Malware Scam (Trojan) – Malware

TikTok Malware Scam (Trojan) – Malware

March 2, 2025
Zombinder (Exploit Kit) – Malware

Zombinder (Exploit Kit) – Malware

March 2, 2025

Latest Alerts

New ZeroCrumb Malware Steals Browser Cookies

TikTok Videos Spread Vidar StealC Malware

CISA Commvault ZeroDay Flaw Risks Secrets

GitLab Patch Stops Service Disruption Risks

3AM Ransomware Email Bomb and Vishing Threat

Function Confusion Hits Serverless Clouds

Subscribe to our newsletter

    Latest Incidents

    Cetus Crypto Exchange Hacked For $223M

    MCP Data Breach Hits 235K NC Lab Patients

    UFCW Data Breach Risks Social Security Data

    Cyberattack Paralyzes French Hauts de Seine

    Santa Fe City Loses $324K In Hacker Scam

    Belgium Housing Hit by Ransomware Attack

    CyberMaterial Logo
    • About Us
    • Contact Us
    • Jobs
    • Legal and Privacy Policy
    • Site Map

    © 2025 | CyberMaterial | All rights reserved

    Welcome Back!

    Login to your account below

    Forgotten Password?

    Retrieve your password

    Please enter your username or email address to reset your password.

    Log In

    Add New Playlist

    No Result
    View All Result
    • Alerts
    • Incidents
    • News
    • Cyber Decoded
    • Cyber Hygiene
    • Cyber Review
    • Definitions
    • Malware
    • Cyber Tips
    • Tutorials
    • Advanced Persistent Threats
    • Threat Actors
    • Report an incident
    • Password Generator
    • About Us
    • Contact Us
    • Advertise with us

    Copyright © 2025 CyberMaterial