GravityRAT, as its name suggests, is a malicious software that allows its operators to obtain remote control of the infected device. This is what's known as a Remote Access Tool. This type of malware has been quite popular on desktop systems, but not so much on mobile devices.
On computers, this type of malware is even being used as banking malware, incorporating a functionality in addition to remote control of the computer that allows attackers to obtain the user's credentials. Today, one very popular example of this malware, and that's affecting Spanish and Latin American entities, is Grandoreiro.
An Android application has recently been detected that claims to be an app for reading comic books, but is actually a new version of the remote access GravityRAT trojan.
This trojan isn't exclusive to mobile devices, instead there are versions for Windows and MacOS, which allow its attackers to remotely execute code, obtain the content of files from an infected computer, record audio or take screenshots. The relationship between the versions for different operating systems and devices was found thanks to the use of the same control servers for the different versions.
Functionality in the Android Version
As stated above, the desktop versions allow it to execute console commands (which allows the attacker to execute remote code if they'd like), to explore the victim's file system and access its content, log keystrokes, take screenshots and record audio.
In the new sample detected for Android, the functionality is similar, although it doesn't include remote code execution, which limits its capability to control the device. As soon as the malicious application is opened, it requests permission to access the device's file system, the contact list, access to the sent and received SMS messages and access to the call list. With these permissions, the trojan can deploy its full functionality, thus being able to obtain as much user information as possible.
Request for permissions when starting the app
In the event that the user does not accept one or any of the permissions requested by the app, it will immediately close, indicating to the user that they must accept all permissions in order to use it. This is how it tries to get the user to provide it with enough permissions to be able to fully execute the malicious functionality.
Code to request permissions and continue with the execution
The application then prompts the user to log in to continue. From that moment on, communication with the control server will begin in order to send the data stored on the infected device.
After logging in, the application checks if the main service that implements the malicious functionality is running, and if not, it initiates it.
Malicious service start after login
From that moment on, communication with the control server begins, which, as can be seen in the following image, involves sending the device's complete calendar, the call log, and the text messages sent and received, in addition to its basic information.
Communication with the C2 at the start of the service
Some of the basic information sent to the C2
To try and increase the lifetime of the trojan, its authors include two different domains to access the control server, and they make an initial request to obtain the final address to use for connecting to the C&C.
Code that obtains the final C&C by connecting to one of the two domains included in the app
Finally, the execution of the walkdir function is also scheduled, which is used to access all the subdirectories and collect all the stored files that have any of the extensions that the malware is interested in.
Code that schedules the execution of the file upload every 60 minutes
As can be seen in the following images, the attackers seem to be mainly interested in PDF files, Microsoft Word documents and images, which are probably the types of files in which there is a greater probability of finding interesting information.
Code the goes through each subdirectory in search of files with specific extensions
As the subdirectories are combed through, the interesting files are stored in a vector, which is ultimately stored in a file. This file will be read later on to send the content of each of the files to the control server.
GravityRAT is a malicious software the allows its operators to control the device remotely, spy on the user and obtain information stored on the infected device. This malware stands out for its compatibility with different operating systems and devices, since versions can be found for Windows, MacOS and Android.
Although the desktop versions allow operators to send commands to be executed, which gives them control of the device through remote code execution, this type of functionality in the Android versions has not been found, which limits the ability of these versions to steal sensitive user information, as we have seen during our analysis of one of the most recent samples.
Although the functionality implemented in the version for mobile devices doesn't allow for the direct theft of banking credentials, it doesn't mean that this trojan can't be used for this purpose. In fact, attackers could combine the desktop trojan with the Android trojan to steal banking credentials when the user accesses their account on their computer, and use the mobile version to obtain text messages containing one-time passwords, required to log in or authorize transactions.