The resurgence of espionage GravityRAT: Android and macOS

November 1, 2020
gravityrat malware Android macOS mobile devices spyware

Android phones and Mac gadgets are some of the devices that are commonly used by individuals worldwide.

Roughly, there are 5 billion mobile users globally, and 3 billion are using smartphones. Research says that a person spends three hours and fifteen minutes on their mobile phones daily. The consumption still depends on the generation and character of the mobile user.

On the other hand, macOS was assumed to be most likely safe from malware than Windows since only a few malware was designed to infect Mac computers. Also, Windows malware will not work and infect a Mac Operating system.


How confident are you that your device is safe from malware and cyber-attacks?

An espionage Trojan malware called GravityRAT has returned, and this time, it is targeting Android smartphones and MacOS.

GravityRAT is a remote access tool (RAT) that is allegedly created by the Pakistani hacker group known as “The Invincible” and “The Martian.” It was first discovered by a group of Information Security experts in India in 2017, which targets Windows computers. However, this malware is assumed to be active since 2015.

Unlike other malware that aims to infect any devices and organization, GravityRAT is spyware specifically developed to steal data for targeted attacks against the organization and people in India. The infection vector of the said malware on windows computers came from malicious MS Office word documents and enable macros. With continuous development and evolution of the GravityRAT malware, it can detect virtual machines by checking CPU temperature to avoid sandboxing, executing remote command and control activity, and file exfiltration.


Security experts have identified that a new variant of GravityRat spyware can now infect Android and macOS devices.


The sample was found on Virus Total in 2019 when hackers inserted a Spy module to an android application named Travel Mate – an application for travelers to India wherein the source code is publicly available on Github.

The attackers have added malicious code to the published application on Github and renamed the application to Travel Mate Pro. Once installed, the infected application can steal your contact list, call and messages logs, and email addresses, then it will send the stolen data to the command and control server. It can also exfiltrate several types of files in the device memory and attached media with extensions .jpg, .jpeg, .log, .png, .txt, .pdf, .xml, .doc, .xls, .xlsx, .ppt, .pptx, .docx, and .opus.

Researchers have confirmed that the threat actors behind GravityRAT aim to target multiplatform – Windows OS, macOS, and Android. The reported distribution methods are malicious applications, infected email attachments, malicious online activities, social engineering, and software cracks. They also used digital signatures to look like legitimate software.

To prevent device infection from the spyware, users must be cautious of the threat they could get from unofficial pages, third party downloaders, free file-hosting sites, and suspicious emails received from an unknown sender.

Furthermore, software applications and files must only be downloaded from official and trustworthy websites.

About the author

Leave a Reply