Android Remote Administration Tool (RAT) is a program that can control android devices from the server primarily used for malicious activities. For example, threat Actors (TAs) use these techniques to steal sensitive data from the user’s device. This blog focuses on one such malicious application that performs its malicious activity behind the application, which claims to be a secure chatting application.
Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android RAT, Gravity. Additionally, we verified that the sample on Virus Total was uploaded from India. This Android Malware has the name SoSafe Chat and an icon similar to messaging apps that trick a user into thinking that this application is a genuine chatting app.
On further analysis, we observed a website with a similar interface and description hosted sosafe[.]co.in.
Gravity RAT has been attacking Windows systems. Additionally, in 2018, the same group came with an Android RAT malware to target the Indian Armed Forces.
We suspect that the application might be distributed via phishing or from a compromised website based on our research. Researchers also claim Pakistani Hacker Groups might be behind this malware.
Once this malware succeeds in execution on users’ devices, it can steal sensitive data like Contacts data, SMS data, and files from the device’s external storage.
Technical Analysis
APK Metadata Information
- App Name: SoSafe Chat
- Package Name: eu.siacs.conversations
- SHA256 Hash: c7d01eacfb80cea5fcfd643cddec8bdc4ed9fde8d1161e4958cc71f9e82c6469
Figure 1 shows the metadata information of the application.
Figure 2 shows the Malware has an icon similar to messaging applications.
Manifest Description
The malware requests forty-two different permissions, out of which few reappears. From these permissions, the attackers could abuse thirteen permissions, as follows:
- Read SMS, Call Logs, and Contacts data.
- Change or modify system settings.
- Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
- Read or write the files on the device’s external storage.
- Record audio.
- Gets connected network information.
- Get the device’s location.
We have listed the dangerous permissions below.
| Permissions | Description |
| READ_SMS | Access phone’s messages |
| READ_CONTACTS | Access phone’s contacts |
| WRITE_SETTINGS | Allows an application to modify system settings |
| READ_CALL_LOG | Access phone call logs |
| READ_PHONE_STATE | Allows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device |
| WRITE_EXTERNAL_STORAGE | Allows the app to write or delete files to the external storage of the device |
| READ_EXTERNAL_STORAGE | Allows the app to read the contents of the device’s external storage |
| RECORD_AUDIO | Allows the app to record audio with the microphone, which the attackers can misuse |
| GET_ACCOUNTS | Allows the app to get the list of accounts used by the phone |
| ACCESS_NETWORK_STATE | Allows the app to get information about network connections |
| ACCESS_WIFI_STATE | Allows the app to get information about Wi-Fi connectivity |
| ACCESS_COARSE_LOCATION | Allows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi |
| ACCESS_FINE_LOCATION | Allows the app to get the precise location of the device using the Global Positioning System (GPS) |
Figure 3 shows the launcher activity of the Malware.
Source Code Description
The code snippets shown in Figures 4, 5, and 6 show that the Malware steals the device’s Contacts data and upload it to the C2 server.
- The below figure shows that the malware reads the contacts data such as Mobile numbers and Names.
- The below figure shows that the malware passes the contacts data to the method postfiledata.
- The code in the figure below shows the contacts data being uploaded to the TAs Command and Control (C&C).
Figure 7 shows how the malware steals the device’s SMS data, such as the address from which communication is happening and message content and upload to the C&C server.
The code shown in Figure 8 demonstrates that the Malware also steals the device’s call logs.
Furthermore, Figure 9 demonstrates how the Malware steals the device’s location data.
Traffic Analysis
During traffic analysis of the malware, we identified that it communicates with the TAs C&C hxxps://api1.androidsdkstream[.]com/foxtrot/61c10953.php and uploads the sensitive data to the same C&C.
The below figure shows that the malware uploads the contacts data from the device to TAs C&C.
Figure 11 shows that the malware uploads the call logs data from the device to TAs C&C.
The figure below shows that the malware uploads the files from the device’s external storage to TAs C&C.
Other Observation
While performing source code analysis, we found an extension sosafe[.]co[.]in as a hint in the registration text field (EditText), as shown in the below figure.
Furthermore, we found a website with the same domain as sosafe[.]co[.]in, as shown in the figure below.
On this website, there is a download option for the application. Currently, the registration option is not allowed on the website, and the Download link is disabled.
Presently the source of the application is not confirmed. However, Cyble Research Lab is working to find the origin and the Threat Actor behind the Malware.
Conclusion
Gravity RAT is a malware that targets users to steal sensitive information such as Contacts data, SMS, call logs, files, and records audio of the device without the user’s knowledge. It is known for targeting the Indian Armed Forces.
Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.
Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.
Our Recommendations
We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:
- Download and install software only from official app stores like Google Play Store.
- Ensure that Google Play Protect is enabled on Android devices.
- Users should be careful while enabling any permissions on their devices.
- If you find any suspicious applications on your device, uninstall, or delete them immediately. 
- Use the shared IOCs to monitor and block the malware infection. 
- Keep your anti-virus software updated to detect and remove malicious software. 
- Keep your Android device, OS, and applications updated to the latest versions. 
- Use strong passwords and enable two-factor authentication. 
MITRE ATT&CK® Techniques
| Tactic | Technique ID | Technique Name |
| Initial Access | T1476 | -Deliver Malicious App via Other Means |
| Execution | T1575 | -Native Code |
| Persistence | T1402 | -Broadcast Receivers |
| Collection | T1412 T1432 T1433 T1429 T1533 | -Capture SMS Messages -Access Contacts List -Access Call Log -Capture Audio -Data from Local System |
| Impact | T1400 | -Modify System Partition |
Indicators of Compromise (IOCs)
| Indicators | Indicator type | Description |
| c7d01eacfb80cea5fcfd643cddec8bdc4ed9fde8d1161e4958cc71f9e82c6469 | SHA256 | Malicious APK |
| hxxps://api1.androidsdkstream[.]com/foxtrot/61c10953.php | URL | TAs C&C |
About Us
Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit www.cyble.com.
