Security researchers have spotted a new campaign that is delivering the GravityRAT remote access trojan (RAT) under the guise of an end-to-end encrypted chat application named SoSafe Chat.
First discovered in 2017 by researchers at Cisco Talos, the malware is believed to be the work of Pakistani hackers, and is primarily targeting Indian users. This recent campaign, uncovered by Cyble researchers, appears to be aimed at high-profile individuals in India, like officers of the Armed Forces.
An analysis of the app’s source code revealed the website sosafe[.]co.in that likely was used to distribute SoSafe. Although the website is still online, the download link and the registration form are no longer working.
The researchers believe that the malware is being distributed via phishing or a compromised website.
Once the RAT is executed, it can conduct a variety of malicious activity, such as read SMS, call logs, and contacts data; change or modify system settings; read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device; read or write the files on the device’s external storage; record audio, collect connected network information, and the device’s location.
“Gravity RAT is a malware that targets users to steal sensitive information such as Contacts data, SMS, call logs, files, and records audio of the device without the user’s knowledge. It is known for targeting the Indian Armed Forces. Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them,” the researchers said.
“Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.”