If you haven’t heard of SoSafe Chat, you will now.

This Android app, purported as a secure messaging application that uses end-to-end encryption, is the latest ruse cybercriminals put upon smartphone users, particularly those based in India, to infect their devices with GravityRAT, a piece of malicious software that is known to spy on people and steal their data.

According to Cyble Research Labs, the latest version of GravityRAT can now track locations of its targets, exfiltrate cellular network data, and record audio. Below is the complete list of GravityRAT’s malicious behavior:

  • Read SMS, call logs, and contacts data
  • Change or modify system settings
  • Read current cellular network information, the phone number and the serial number of the victim’s phone, the status of any ongoing calls, and a list of any phone accounts registered on the device
  • Read or write the files on the device’s external storage
  • Record audio
  • Get connected network information
  • Get the device’s location

The history of GravityRAT

This remote access Trojan (RAT) was first discovered in infected Windows computers in 2017 by the Indian Computer Emergency Response Team (CERT-IN), but it has been active since at least 2015. An advanced persistent threat (APT) group with origins in Pakistan was believed to be behind the creation and initial attacks using the RAT.

CERT-IN had described GravityRAT as “unlike most malware, which are designed to inflict short term damage. It lies hidden in the system that it takes over and keeps penetrating deeper. According to latest inputs, GravityRAT has now become self aware and is capable of evading several commonly used malware detection techniques.”

Knowing India and Pakistan’s longstanding historical and political conflict, it’s no surprise to see GravityRAT coming back to target high profile individuals in India once more. The first time threat actors attempted this was when they homed in on the Indian armed forces in 2018.

The SoSafe Chat website and download page hosted on sosafe[dot]co[dot]in, an Indian domain.

SoSafe markets itself as an encrypted message platform that worries about the security of its users.

SoSafe chat is not just another chat application, but an application that encrypts your messages whether it is text,images,voice notes,videos.”SoSafe” is available to talk to your loved ones when all the other applications secretly steal your chat data even when they say they do not. We at “SoSafe” ensure that the security of our customers remain our top priority. Be safe with “SoSafe”.

— SoSafe Chat website marketing blurb

BleepingComputer thinks that the above website “likely played a role in the distribution of the app”, and that users are likely get directed to it via malvertising and other known means like social media and instant messages.

It’s also likely that targeted users were messaged privately, since quick searches on top social media sites turned up empty.

How to stay safe

This is a good time to remind readers to never download apps from sites you haven’t heard about. It’s still much, much safer to download apps from the Google Play Store. Just make sure you enable Google Play Protect before you download apps.

Lastly, if you use an antivirus for your Android device, always make sure you are using the latest version.

Stay safe!