The GravityRAT remote access trojan is being spread in the wild once more, this time as SoSafe Chat, an end-to-end encrypted chat program. This RAT (remote access trojan) is mainly targeted at Indian consumers and is delivered by Pakistani actors.
According to telemetry data from the most recent campaign, the targeting scope hasn’t altered, and Gravity is still targeting high-profile persons in India, such as officials in the Armed Forces. The malware initially targeted individuals through an Android software called ‘Travel Mate Pro,’ but because the epidemic has halted travel, the perpetrators have changed their guise.
The application is now known as ‘SoSafe Chat,’ advertised as a secure chat app with end-to-end encryption. The website that most likely helped spread the software (sosafe.co[.]in) is still up and running, but the download link and registration form are no longer functional. The channel and method of dissemination are unknown, although it was most likely through malvertising, social media posts, and instant messages to targets to drive attention to the site.
Once installed on a target’s device, the spyware may engage in various harmful activities, including data exfiltration, spying on the victim, and tracking their whereabouts. The whole list of malicious activity includes the following:
- Contacts data, Call logs and Read SMS
- Modify or change system settings
- Read current cellular network information, the victim’s phone number and serial number, the status of any pending calls, and a list of any Phone Accounts registered on the device.
- Read or write the files on the device’s external storage
- Get the device’s location
- Record audio
- Gets connected network information
According to Cyble experts, the virus seeks a long list of permissions for this feature, although it may look appropriate for an instant messaging program. GravityRAT has gained the ability to capture audio and mobile-specific functionality like location fetching and cellular network data exfiltration over the 2020 version.
Prior to the 2020 version, GravityRAT could only infect Windows workstations and could not infect mobile devices. As a result, the malware’s reappearance in public, this time targeting mobile devices, implies that its creators are still working on it.