GravityRat (Trojan) – Malware

Overview

The Android GravityRAT spyware, a known threat in the cyber landscape since 2015, has recently undergone a significant upgrade, presenting new risks to Android users. ESET researchers have identified an evolved version of this malicious software, now specifically designed to target WhatsApp backup files. Distributed through seemingly legitimate apps like BingeChat and Chatico, this updated variant of GravityRAT showcases a more sophisticated approach to data theft and manipulation. The malware, initially documented in targeted attacks against India, has expanded its capabilities to include remote command execution, marking a notable escalation in its threat level.

GravityRAT has historically been associated with high-profile cyber espionage campaigns, leveraging its remote access capabilities to exfiltrate sensitive information. The recent update introduces new features that not only allow the spyware to steal encrypted WhatsApp backup files but also to receive commands for deleting files from the compromised device. This advancement underscores a shift towards more targeted and destructive cyber operations, with the potential to impact users’ private communications and data significantly.

Targets

Individuals.

How they operate

Android GravityRAT has been distributed primarily through malicious versions of legitimate applications. A notable example is the BingeChat app, which masquerades as a free messaging service but carries the GravityRAT payload. Users are lured to download this app from a website that initially requires registration, indicating a targeted approach rather than broad-based attacks. The malicious app is a trojanized version of the open-source OMEMO Instant Messenger, cleverly leveraging the trust associated with legitimate software. This distribution method allows GravityRAT to bypass traditional app store vetting processes and reach specific high-value targets.

Once installed, GravityRAT requests a range of permissions to blend seamlessly with the device’s normal operations. The app requests permissions typical for messaging applications, including access to contacts, call logs, and storage, which disguises its malicious intent. After installation, GravityRAT activates by registering with its command and control (C&C) server, initiating a constant exchange of data and commands. This communication is secured via HTTPS, adding a layer of obfuscation to the malware’s operations.

GravityRAT’s core functionalities include extensive data collection and exfiltration. The malware extracts sensitive information such as call logs, SMS messages, contact lists, and files with specific extensions, including encrypted WhatsApp backups. It also tracks the device’s location, providing a comprehensive picture of the victim’s activities and communications. Notably, this version of GravityRAT has introduced new capabilities, such as receiving commands from the C&C server to delete files or specific data types, including call logs and contacts. This command-and-control functionality allows the malware to perform real-time operations and adjust its behavior based on the attacker’s needs.

GravityRAT’s impact is multifaceted. By exfiltrating a broad range of personal and sensitive data, it poses a severe privacy risk to affected users. The malware’s ability to delete files and data remotely further enhances its utility for attackers seeking to cover their tracks or disrupt victim activities. From an evasion standpoint, GravityRAT employs several techniques to avoid detection. It utilizes standard app permissions to mask its malicious actions and deletes files from the device to remove traces of its presence. Additionally, the malware’s reliance on encrypted communication channels complicates efforts to intercept and analyze its traffic.

Android GravityRAT represents a significant threat due to its sophisticated operation and advanced features. By distributing itself through seemingly legitimate applications and employing robust data collection and exfiltration mechanisms, it effectively targets high-value individuals and organizations. The malware’s ability to issue remote commands and delete critical data further underscores its potency as a tool for espionage and disruption. As GravityRAT continues to evolve, ongoing vigilance and advanced detection methods will be essential to mitigate its impact and safeguard user privacy.

MITRE Tactics and Techniques

Persistence

T1398: Boot or Logon Initialization Scripts – GravityRAT registers a receiver for the BOOT_COMPLETED broadcast intent to activate upon device startup.
T1624.001: Event Triggered Execution: Broadcast Receivers – GravityRAT can trigger its functionality based on various system events, such as USB device attachment, connectivity changes, and more.

Defense Evasion

T1630.002: Indicator Removal on Host: File Deletion – GravityRAT deletes local files that contain sensitive information to evade detection and mitigate exposure.

Discovery

T1420: File and Directory Discovery – GravityRAT enumerates files on external storage to find and exfiltrate data.
T1422: System Network Configuration Discovery – It extracts network-related information such as IMEI, IMSI, IP address, phone number, and country.
T1426: System Information Discovery – GravityRAT collects detailed device information, including SIM serial number and device ID.

Collection

T1533: Data from Local System – GravityRAT gathers files from the device, including specific file types and WhatsApp backups.
T1430: Location Tracking – It tracks the device’s geographic location.
T1636.002: Protected User Data: Call Logs – GravityRAT exfiltrates call logs.
T1636.003: Protected User Data: Contact List – It extracts the contact list.
T1636.004: Protected User Data: SMS Messages – GravityRAT collects SMS messages from the device.

Command and Control

T1437.001: Application Layer Protocol: Web Protocols – GravityRAT uses HTTPS to communicate with its command and control (C&C) servers.

Exfiltration

T1646: Exfiltration Over C2 Channel – Data is exfiltrated using HTTPS channels to the C&C server.

Impact

T1641: Data Manipulation – GravityRAT can delete specific files and remove call logs and contact lists from the device as part of its impact operations.

References

• Android GravityRAT goes after WhatsApp backups
• Gravity RAT