An end-to-end encrypted chat application named ‘SoSafe Chat’ has distributed the Android spyware called GravityRAT remote access trojan. This specific chat application has been fooling unaware victims by carrying spyware all along. This remote access trojan targets Indian users, and it is believed that the spyware’s operators are Pakistani threat actors.
The data on the latest attacks revealed that the targeting scope had remained the same, and GravityRAT is still targeting influential personalities in India, such as politicians, people in business, and military personnel.
Last year, the spyware was targeting victims via an Android app called ‘Travel Mate Pro’. However, since Covid-19 has halted entire travelling operations worldwide, the threat actors came up with a new way of fooling targets using applications. The new app that the malicious threat group is endorsing is called ‘SoSafe Chat’, which is promoted as a secure chatting application that includes end-to-end encryption.
The distribution method remains a mystery, but the threat actors may spread the Android spyware through malvertisement, phishing emails, instant messages, and social media postings.
Once the fake chat app is downloaded and installed on a target victim’s device, the Android spyware can execute various malicious acts, allowing its operators to steal information, spy on the target, and track their current locations. The spyware also features abilities such as reading SMS, call logs, stealing contact data, modifying system settings, reading or writing files on the infected device’s external storage, recording audio, and exfiltrating network information.
However, this app’s most notable and dangerous features are that it can read cellular network information, the infected phone number and the serial number of the infected phone, the status of ongoing calls, and a list of accounts registered on the compromised device. According to a researcher, the list of permissions that the malware wants for these abilities is undoubtedly extensive. Still, they can easily acquire the licenses since they are disguised as a legitimate chat app.
The GravityRAT has successfully evolved in a short amount of time. It has managed to include audio recording and location fetching in their arsenal, resulting in a more detailed data exfiltration. Furthermore, they expanded their attacks from being exclusive to Windows machines only to infecting mobile devices currently. The reappearance of GravityRAT indicated that its operators are currently developing it, making it a potential problem in the future.
