Security Experts:

Connect with us

Hi, what are you looking for?



Android, macOS Versions of GravityRAT Spyware Spotted in Ongoing Campaign

Kaspersky security researchers have identified versions of the GravityRAT spyware that are targeting Android and macOS devices.

Kaspersky security researchers have identified versions of the GravityRAT spyware that are targeting Android and macOS devices.

Initially detailed in 2018, the RAT was previously employed in attacks targeting the Indian military, as part of a campaign that is believed to have been active since 2015. Targeting Windows systems, the tool has mainly been used for spying purposes.

In a report published on Monday, Kaspersky reveals that the malware’s authors have invested a lot into making their tool cross-platform, and that, as part of an ongoing campaign, both Android and macOS are now being targeted, in addition to Windows.

The investigation into the new samples has revealed over 10 variants of GravityRAT, which have been distributed masquerading as legitimate apps, including secure file sharing software and media players.

Spyware capabilities packed within GravityRAT allow the malware to retrieve device information, contact lists, call logs, email addresses, and SMS messages, and even to find and exfiltrate files based on extensions: .docx, .doc, .ppt, .pptx, .txt, .pdf, .xml, .jpg, .jpeg, .log, .png, .xls, .xlsx, and .opus.

The malware, which is believed to have been developed by a Pakistani group, is also capable of retrieving a list of running processes on the system, log keystrokes, take screenshots, execute shell commands, record audio, and scan for open ports.

“Our investigation indicated that the actor behind GravityRAT is continuing to invest in its spying capacities. Cunning disguise and an expanded OS portfolio not only allow us to say that we can expect more incidents with this malware in the APAC region, but this also supports the wider trend that malicious users are not necessarily focused on developing new malware, but developing proven ones instead, in an attempt to be as successful as possible,” Tatyana Shishkova, security expert at Kaspersky, said.

Analysis of some of the apps the Trojan has been distributed as revealed similar functionality between samples and also allowed the security researchers to identify command and control (C&C) servers used by the attackers, such as nortonupdates[.]online, windowsupdates[.]eu, mozillaupdates[.]com, mozillaupdates[.]us, msoftserver[.]eu, microsoftupdate[.]in, and others.

The domains distributing the malware, Kaspersky reveals, are hidden behind Cloudflare, thus making it difficult for security researchers to discover their IPs.

Kaspersky’s researchers also discovered that GravityRAT’s operators have developed .NET, Python, and Electron variants of the threat, which allows them to easily target both Windows and macOS devices. The Android variant features similar functionality.

Previously reported GravityRAT attacks employed fake Facebook accounts for distribution, with the intended victims contacted through the social platform and asked to install a malware masquerading as a secure messenger application. Approximately 100 victims were identified, including employees in defense, police, and other departments and organizations.

“It is safe to assume that the current GravityRAT campaign uses similar infection methods — targeted individuals are sent links pointing to malicious apps. The main modification seen in the new GravityRAT campaign is multiplatformity: besides Windows, there are now versions for Android and macOS. The cybercriminals also started using digital signatures to make the apps look more legitimate,” Kaspersky concludes.

Related: North Korean Hackers Release Mac Variant of Dacls RAT

Related: Iran-Linked RAT Used in Recent Attacks on European Energy Sector

Related: New ‘PyXie’ RAT Used Against Multiple Industries

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...