Gravity RAT Malware Returns as A Chat Application

Android Remote Administration Tool (RAT) is a program that can control android devices from the server primarily used for malicious activities. For example, threat Actors (TAs) use these techniques to steal sensitive data from the user’s device. This blog focuses on one such malicious application that performs its malicious activity behind the application, which claims to be a secure chatting application.

Cyble Research Labs came across a Twitter post wherein researchers mentioned an Android RAT, Gravity. Additionally, we verified that the sample on Virus Total was uploaded from India. This Android Malware has the name SoSafe Chat and an icon similar to messaging apps that trick a user into thinking that this application is a genuine chatting app.

On further analysis, we observed a website with a similar interface and description hosted sosafe[.]

Gravity RAT has been attacking Windows systems. Additionally, in 2018, the same group came with an Android RAT malware to target the Indian Armed Forces.

We suspect that the application might be distributed via phishing or from a compromised website based on our research. Researchers also claim Pakistani Hacker Groups might be behind this malware.

Once this malware succeeds in execution on users’ devices, it can steal sensitive data like Contacts data, SMS data, and files from the device’s external storage.

Technical Analysis

APK Metadata Information

  • App Name: SoSafe Chat
  • Package Name: eu.siacs.conversations
  • SHA256 Hash: c7d01eacfb80cea5fcfd643cddec8bdc4ed9fde8d1161e4958cc71f9e82c6469

Figure 1 shows the metadata information of the application.

Figure 1 Metadata Information

Figure 2 shows the Malware has an icon similar to messaging applications.

Figure 2 App Icon and Name

Manifest Description

The malware requests forty-two different permissions, out of which few reappears. From these permissions, the attackers could abuse thirteen permissions, as follows:

  • Read SMS, Call Logs, and Contacts data.
  • Change or modify system settings.
  • Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device.
  • Read or write the files on the device’s external storage.
  • Record audio.
  • Gets connected network information.
  • Get the device’s location.

We have listed the dangerous permissions below.

READ_SMSAccess phone’s messages
READ_CONTACTSAccess phone’s contacts
WRITE_SETTINGSAllows an application to modify system settings
READ_CALL_LOGAccess phone call logs
READ_PHONE_STATEAllows access to phone state, including the current cellular network information, the phone number and the serial number of this phone, the status of any ongoing calls, and a list of any Phone Accounts registered on the device
WRITE_EXTERNAL_STORAGEAllows the app to write or delete files to the external storage of the device
READ_EXTERNAL_STORAGEAllows the app to read the contents of the device’s external storage
RECORD_AUDIOAllows the app to record audio with the microphone, which the attackers can misuse
GET_ACCOUNTSAllows the app to get the list of accounts used by the phone
ACCESS_NETWORK_STATEAllows the app to get information about network connections
ACCESS_WIFI_STATEAllows the app to get information about Wi-Fi connectivity
ACCESS_COARSE_LOCATIONAllows the app to get the approximate location of the device network sources such as cell towers and Wi-Fi
ACCESS_FINE_LOCATIONAllows the app to get the precise location of the device using the Global Positioning System (GPS)
Table 1: Permissions’ Description

Figure 3 shows the launcher activity of the Malware.

Figure 3 Launcher Activity

Source Code Description

The code snippets shown in Figures 4, 5, and 6 show that the Malware steals the device’s Contacts data and upload it to the C2 server.

  • The below figure shows that the malware reads the contacts data such as Mobile numbers and Names.
Figure 4 Reads Contact Data
  • The below figure shows that the malware passes the contacts data to the method postfiledata.
Figure 5 Passes the Data to Upload to C&C
  • The code in the figure below shows the contacts data being uploaded to the TAs Command and Control (C&C).
Figure 6 Upload Data to the C&C

Figure 7 shows how the malware steals the device’s SMS data, such as the address from which communication is happening and message content and upload to the C&C server.

Figure 7 Steals SMS Data

The code shown in Figure 8 demonstrates that the Malware also steals the device’s call logs.

Figure 8 Reads Call log

Furthermore, Figure 9 demonstrates how the Malware steals the device’s location data.

Figure 9 Reads Location

Traffic Analysis

During traffic analysis of the malware, we identified that it communicates with the TAs C&C hxxps://api1.androidsdkstream[.]com/foxtrot/61c10953.php and uploads the sensitive data to the same C&C.

The below figure shows that the malware uploads the contacts data from the device to TAs C&C.

Figure 10 Uploads Contacts Data

Figure 11 shows that the malware uploads the call logs data from the device to TAs C&C.

Figure 11 Uploads Call Log

The figure below shows that the malware uploads the files from the device’s external storage to TAs C&C.

Figure 12 Uploads Files

Other Observation

While performing source code analysis, we found an extension sosafe[.]co[.]in as a hint in the registration text field (EditText), as shown in the below figure.

Figure 13 Hardcoded Domain

Furthermore, we found a website with the same domain as sosafe[.]co[.]in, as shown in the figure below.

Figure 14 SoSafe Website

On this website, there is a download option for the application. Currently, the registration option is not allowed on the website, and the Download link is disabled.

Figure 15 Download Option

Presently the source of the application is not confirmed. However, Cyble Research Lab is working to find the origin and the Threat Actor behind the Malware.


Gravity RAT is a malware that targets users to steal sensitive information such as Contacts data, SMS, call logs, files, and records audio of the device without the user’s knowledge. It is known for targeting the Indian Armed Forces.

Threat Actors constantly adapt their methods to avoid detection and find new ways to target users through sophisticated techniques. Such malicious applications often masquerade as legitimate applications to confuse users into installing them.

Users should install applications only after verifying their authenticity and install them exclusively from the official Google Play Store to avoid such attacks.

Our Recommendations

We have listed some essential cybersecurity best practices that create the first line of control against attackers. We recommend that our readers follow the best practices given below:  

  • Download and install software only from official app stores like Google Play Store.
  • Ensure that Google Play Protect is enabled on Android devices.
  • Users should be careful while enabling any permissions on their devices.
  • If you find any suspicious applications on your device, uninstall, or delete them immediately. 
  • Use the shared IOCs to monitor and block the malware infection. 
  • Keep your anti-virus software updated to detect and remove malicious software. 
  • Keep your Android device, OS, and applications updated to the latest versions. 
  • Use strong passwords and enable two-factor authentication. 

MITRE ATT&CK® Techniques

TacticTechnique IDTechnique Name
Initial AccessT1476-Deliver Malicious App via Other Means
ExecutionT1575-Native Code
PersistenceT1402 -Broadcast Receivers
-Capture SMS Messages
-Access Contacts List
-Access Call Log
-Capture Audio
-Data from Local System
ImpactT1400-Modify System Partition

Indicators of Compromise (IOCs)

IndicatorsIndicator typeDescription
c7d01eacfb80cea5fcfd643cddec8bdc4ed9fde8d1161e4958cc71f9e82c6469SHA256Malicious APK
hxxps://api1.androidsdkstream[.]com/foxtrot/61c10953.phpURLTAs C&C

About Us

Cyble is a global threat intelligence SaaS provider that helps enterprises protect themselves from cybercrimes and exposure in the Darkweb. Its prime focus is to provide organizations with real-time visibility to their digital risk footprint. Backed by Y Combinator as part of the 2021 winter cohort, Cyble has also been recognized by Forbes as one of the top 20 Best Cybersecurity Start-ups To Watch In 2020. Headquartered in Alpharetta, Georgia, and with offices in Australia, Singapore, and India, Cyble has a global presence. To learn more about Cyble, visit

Comments are closed.

Scroll to Top