'GravityRAT' Windows spyware modified to infect macOS, Android

Credit: Malcolm Owen, AppleInsider

A strain of malware called GravityRAT, known for spying on Windows machines, has been adapted to infect both Android and macOS devices, according to a new report.

Although most remote access trojans (RAT) target Windows devices, ones that affect Macs have surfaced from time to time. In the case of GravityRAT, it appears that the group responsible for the malware have introduced support for both the macOS and Android operating systems.

Security researchers at Kaspersky have discovered an updated strain of GravityRAT while analyzing an Android spyware app. During the analysis, the researchers identified a server used by two other malicious apps targeting Windows and macOS.

"Overall, more than 10 versions of GravityRAT were found, being distributed under the guise of legitimate applications, such as secure file sharing applications that would help protect users' devices from encrypting Trojans, or media players," the researchers wrote.

GravityRAT is spyware known for checking the CPU temperature of computers in an effort to detect running virtual machines. Malicious code dropped by the RAT can be used to perform a range of cyber espionage, however.

According to Kaspersky, the trojan can allow attackers to send commands that get information about a system; search for files on a machine; intercept keystrokes; take screenshots; execute arbitrary shell commands; and get a list of running processes.

The researchers found apps written in Python, Electron, and .NET that will download GravityRAT payloads from a command and control server. From there, the malware adds scheduled tasks to gain persistence. Oftentimes, the malicious apps are clones of legitimate ones.

It's unclear who exactly developed and maintains the GravityRAT malware, though it's largely thought to be tied to Pakistani hacker groups who have used it to target Indian military and police organizations.

Who's at risk and how to protect yourself

Although researchers discovered about 100 successful attacks using GravityRAT between 2015 and 2018, it appears that most of these have been highly targeted.

For example, defense and police employees in India were tricked into installing a "secure messenger" via Facebook, The Times of India reported.

Kaspersky notes that the exact infected vector is unknown, but targets are likely being directly sent download links to the infected trojans.

What that means in practice is that the average macOS user is likely safe from the RAT. Unless one is a target, security best practices such as avoiding shady links and only downloading apps from trusted app stores is likely enough to mitigate the threat.