Android malware used in six-year Pakistan-linked campaign against Indian government

Hackers allegedly based in Pakistan have used Android-based malware during a six-year campaign targeting India’s government as well as Indian companies connected to the defense and technology sectors.

The campaign is still active, according to researchers at Cisco Talos, and it involves the use of malware named GravityRAT that allows hackers to steal information. In a report released Thursday, the researchers call the campaign “Operation Celestial Force.”

Since 2019, Cisco Talos said it has observed the hackers continually add capabilities to GravityRAT that allow them to exfiltrate device data like the International Mobile Equipment Identity number, phone numbers, network operations, SIM information, and device location. 

Cisco previously spotlighted the use of GravityRAT by Pakistani actors against targets in India in 2018.

The malware also lets the hackers read text messages, steal files off the device, read call logs and delete all contacts. 

The hackers distribute GravityRAT through malicious websites, some of which were registered as late as January 2024. The websites purport to offer legitimate Android applications.

The hackers behind the attacks are part of a group the researchers named “Cosmic Leopard” — which mostly focuses on espionage and surveillance. 

“While this operation has been active for at least the past six years, Talos has observed a general uptick in the threat landscape in recent years, with respect to the use of mobile malware for espionage to target high-value targets, including the use of commercial spyware,” Cisco Talos researchers said. 

Expansion and overlap

In addition to the GravityRAT malware, the “Operation Celestial Force” campaign has used an “expanding and evolving malware suite” — which Cisco Talos said was evidence that the hackers have “seen a high degree of success targeting users in the Indian subcontinent.”

The expansion includes the HeavyLift malware family — which allows the hackers to download and install other malicious implants onto a victim’s device. 

“This campaign primarily utilizes two infection vectors — spear phishing and social engineering. Spear phishing consists of messages sent to targets with pertinent language and maldocs that contain malware such as GravityRAT,” the researchers said. 

“The other infection vector, gaining popularity in this operation, and now a staple tactic of the Cosmic Leopard’s operations consists of contacting targets over social media channels, establishing trust with them and eventually sending them a malicious link to download either the Windows- or Android-based GravityRAT or the Windows-based loader, HeavyLift.”

The activities of Cosmic Leopard overlap with Transparent Tribe — another Pakistani hacking group allegedly connected to the country’s government. Transparent Tribe has been implicated in multiple campaigns targeting India’s education sector, government and military as well as organizations across Afghanistan. 

Transparent Tribe has targeted both Indian and Pakistani citizens in the past with Android-focused malware designed to record phone calls, steal photos and more. Cisco Talos said it did not have enough technical evidence to tie the six-year campaign with Transparent Tribe, which is why they tagged it under the Cosmic Leopard name.