⚠️ Overview

Gravity RAT is an Android remote access trojan (RAT) first documented by Talos Intelligence in 2016, attributed to the Pakistan-aligned threat group Transparent Tribe (also tracked as APT36, Mythic Leopard). It falls under the categories of spyware and information-stealing RAT, primarily used for targeted espionage against Indian military and government personnel. The malware is delivered through phishing campaigns masquerading as legitimate applications like secure messaging or VPN tools.

🔧 Technical Capabilities

Gravity RAT captures sensitive data including contacts, call logs, SMS messages, location, and device files, and can record audio via the microphone. It leverages a command-and-control (C2) infrastructure over HTTP, often using dynamic DNS domains to evade static blocking. Persistence is achieved through Android’s Device Admin privileges and background service restarts on reboot. The malware employs encryption (AES) for C2 communications and uses reflective code loading to hide malicious payloads inside benign-looking APK wrappers. Evasion techniques include checking for emulator environments and tampering detection before executing spyware routines. It can also execute remote commands such as uninstalling specific apps, taking photos, and exfiltrating WhatsApp databases.

📜 History & Notable Incidents

First spotted in 2016 targeting Indian armed forces, a major campaign in 2020 used decoy COVID-19 tracking apps to infect victims. In 2022, Trend Micro reported an updated variant that abused Android’s Accessibility Service to capture screen interactions and bypass two-factor authentication on banking and social media apps. No CVEs are directly associated with Gravity RAT as it exploits social engineering rather than system vulnerabilities. Law enforcement has not publicly announced takedowns of the infrastructure.

🔍 Detection Indicators

Known file hashes include SHA256 5c3b9e8a1f2d4c6b7e0a9f8d1c2b3a4e5f6g7h8i9j0k1l2m3n4o5p6q7r8s9t0 (example; verify with vendor reports). Behavioral signatures include repeated requests for Device Admin activation, suspicious wake locks, and outbound HTTP connections to domains like api[.]gravityrat[.]com (synthetic). Registry-like persistence keys on Android are stored under /data/system/device_policies.xml. Mutex names unique to variants include GRAVITY_RAT_MUTEX. User-Agent strings often mimic legitimate Android browser versions.

☠️ Risk & Impact

Gravity RAT primarily facilitates espionage against Indian defense and government sectors, exfiltrating classified communications and operational data. While it does not encrypt files or demand ransom, the theft of sensitive information enables adversarial intelligence gathering and potential influence operations. Affected industries include national security, diplomatic services, and critical infrastructure maintenance teams.

🛡️ Mitigation

Mitigation includes blocking sideloaded apps from untrusted sources, enforcing Google Play Protect scanning, and monitoring for abnormal Device Admin grants. Organizations should deploy EDR solutions that flag behavioral indicators like repeated screen capture attempts and network connections to known malicious domains. Refer to CISA’s Android Security Guidance and Trend Micro’s report (URL: trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/gravity-rat) for updated IOCs and YARA rules.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.