• Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
MUST READ

Apple addressed the seventh actively exploited zero-day

 | 

Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection

 | 

A Scattered Spider member gets 10 years in prison

 | 

FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage

 | 

US CERT/CC warns of flaws in Workhorse Software accounting software used by hundreds of municipalities in Wisconsin

 | 

DOJ takes action against 22-year-old running RapperBot Botnet

 | 

Google fixed Chrome flaw found by Big Sleep AI

 | 

Pharmaceutical firm Inotiv discloses ransomware attack. Qilin group claims responsibility for the hack

 | 

A hacker tied to Yemen Cyber Army gets 20 months in prison

 | 

Exploit weaponizes SAP NetWeaver bugs for full system compromise

 | 

Allianz Life security breach impacted 1.1 million customers

 | 

U.S. CISA adds Trend Micro Apex One flaw to its Known Exploited Vulnerabilities catalog

 | 

AI for Cybersecurity: Building Trust in Your Workflows

 | 

Taiwan Web Infrastructure targeted by APT UAT-7237 with custom toolset

 | 

New NFC-Driven Android Trojan PhantomCard targets Brazilian bank customers

 | 

Cisco fixed maximum-severity security flaw in Secure Firewall Management Center

 | 

'Blue Locker' Ransomware Targeting Oil & Gas Sector in Pakistan

 | 

Hackers exploit Microsoft flaw to breach Canada ’s House of Commons

 | 

Norway confirms dam intrusion by Pro-Russian hackers

 | 

Zoom patches critical Windows flaw allowing privilege escalation

 | 
  • Home
  • Cyber Crime
  • Cyber warfare
  • APT
  • Data Breach
  • Deep Web
  • Digital ID
  • Hacking
  • Hacktivism
  • Intelligence
  • Internet of Things
  • Laws and regulations
  • Malware
  • Mobile
  • Reports
  • Security
  • Social Networks
  • Terrorism
  • ICS-SCADA
  • POLICIES
  • Contact me
  • Home
  • Breaking News
  • Malware
  • GravityRAT malware also targets Android and macOS

GravityRAT malware also targets Android and macOS

Pierluigi Paganini October 19, 2020

Researchers spotted new variants of the Windows GravityRAT spyware that now can also infect Android and macOS devices.

Researchers from Kaspersky Lab have spotted new variants of the GravityRAT malware that now can be also used to infect Android and macOS devices.

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

“Today, Cisco Talos is uncovering a new piece of malware, which has remained under the radar for the past two years [since 2015] while it continues to be developed.” reads an analysis published by Cisco Talos that spotted the malware back in 2017 when it was used by an APT group targeting India.

The sample analyzed by Kaspersky last year is able to infect macOS and Android devices, unlike past variants that were focused on Windows.

Crooks also started using digital signatures to make the apps look more legitimate.

The malware researchers found the new Android GravityRAT sample in 2019, on VirusTotal. The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

gravityRAT

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server (nortonupdates[.]online). The C&C server was also associated with other two malicious apps (Enigma and Titanium) targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • record audio (not implemented in this version)
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

The researchers reported that the malware was employed in approximately 100 successful attacks between 2015 and 2018. The list of targets includes employees at defense, police, and other departments and organizations.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation, the attackers contacted the victims through a fake Facebook account. The attackers likely sent to the victims download links.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps.” concludes Kaspersky.

“The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate.”

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GravityRAT)

[adrotate banner=”5″]

[adrotate banner=”13″]


facebook linkedin twitter

Android GravityRAT Hacking hacking news information security news IT Information Security macOS malware Pierluigi Paganini Security Affairs Security News Windows

you might also like

Pierluigi Paganini August 21, 2025
Apple addressed the seventh actively exploited zero-day
Read more
Pierluigi Paganini August 21, 2025
Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection
Read more

leave a comment

newsletter

Subscribe to my email list and stay
up-to-date!

    recent articles

    Apple addressed the seventh actively exploited zero-day

    Security / August 21, 2025

    Hackers deploy DripDropper via Apache ActiveMQ flaw, patch systems to evade detection

    Malware / August 21, 2025

    A Scattered Spider member gets 10 years in prison

    Cyber Crime / August 21, 2025

    FBI: Russia-linked group Static Tundra exploit old Cisco flaw for espionage

    Intelligence / August 21, 2025

    US CERT/CC warns of flaws in Workhorse Software accounting software used by hundreds of municipalities in Wisconsin

    Security / August 21, 2025

    To contact me write an email to:

    Pierluigi Paganini :
    pierluigi.paganini@securityaffairs.co

    LEARN MORE

    QUICK LINKS

    • Home
    • Cyber Crime
    • Cyber warfare
    • APT
    • Data Breach
    • Deep Web
    • Digital ID
    • Hacking
    • Hacktivism
    • Intelligence
    • Internet of Things
    • Laws and regulations
    • Malware
    • Mobile
    • Reports
    • Security
    • Social Networks
    • Terrorism
    • ICS-SCADA
    • POLICIES
    • Contact me

    Copyright@securityaffairs 2024

    We use cookies on our website to give you the most relevant experience by remembering your preferences and repeat visits. By clicking “Accept All”, you consent to the use of ALL the cookies. However, you may visit "Cookie Settings" to provide a controlled consent.
    Cookie SettingsAccept All
    Manage consent

    Privacy Overview

    This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities...
    Necessary
    Always Enabled
    Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
    Non-necessary
    Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
    SAVE & ACCEPT