GravityRAT Shows How Fake Apps Can Secretly Spy on Your Device

A long-running spyware campaign known as GravityRAT has resurfaced with expanded capabilities, targeting Windows, Android, and macOS devices. Active since at least 2015, this malware has mainly focused on Indian military and government organizations. However, the tactics it uses highlight broader risks that can also affect everyday consumers and personal devices.

GravityRAT is classified as a remote access trojan, meaning it allows attackers to secretly control infected devices. Unlike common cybercrime malware that spreads widely, GravityRAT is built for espionage and long-term surveillance. Once installed, it quietly collects sensitive information without alerting the victim.

How GravityRAT Infects Devices

GravityRAT spreads through carefully planned social engineering rather than random attacks. On Windows and macOS computers, it often arrives via convincing spear-phishing emails.

These messages contain Office documents that prompt users to enable macros, which then secretly install the malware in the background.

On Android phones, GravityRAT disguises itself as legitimate-looking chat or file-sharing apps. Fake messaging tools such as BingeChat or SoSafe Chat are promoted through social media posts or third-party websites. Once installed, the app appears harmless while performing malicious activity behind the scenes.

This patient and targeted approach makes GravityRAT especially dangerous. Attackers may spend weeks building trust with a victim online before delivering the malware, increasing the likelihood that the user will open files or install apps without suspicion.

Fig 1. GravityRAT mimicking an Android messenger app. (Source: AnyRun)

What Information GravityRAT Steals

Once active on a real device, GravityRAT establishes persistence so it can survive reboots. It then begins systematically collecting data. On computers, this includes documents and stored files. On Android devices, its behavior is more aggressive and invasive.

The malware can collect SMS messages, call logs, contact information, photos, and files such as PDFs or text documents. Particularly concerning is its ability to steal WhatsApp backups, which may contain private conversations and media users believe are securely stored.

After gathering this data, GravityRAT encrypts and sends it to attacker-controlled servers using secure HTTPS connections. In some cases, it removes traces of its activity, making it difficult for victims to realize their data has been compromised.

Why GravityRAT Is Hard to Detect

GravityRAT is designed to stay hidden for as long as possible. It can tell when it is being examined in a safe testing environment, which security researchers often use to study malware. If it senses this kind of setup, GravityRAT simply shuts itself down so its behavior can’t be observed or traced.

Researchers at ANY.RUN report that GravityRAT uses multiple detection checks, including hardware-based methods that virtual systems struggle to imitate. This allows it to stay hidden while continuing operations on real devices.

For consumers, the key takeaway is caution. Avoid enabling macros in documents unless absolutely necessary, install apps only from official app stores, and be cautious with unexpected messages. While GravityRAT targets high-value organizations, its techniques show how easily trust can be exploited in everyday digital life.