New Android GravityRAT targets WhatsApp backups
Security researchers from ESET have discovered an updated version of the Android GravityRAT spyware, which now focuses on infiltrating WhatsApp backups.
GravityRAT, a remote access trojan that first emerged in 2015 and has been a persistent threat ever since. It enables hackers to gain remote access to compromised devices, allowing them to extract various types of sensitive data, including call logs, contacts, messages, locations, photos, videos, and documents. While compatible with Windows, Android, and macOS platforms, the true origins of GravityRAT and the identity of the group responsible for its creation, known as SpaceCobra, remain undisclosed.
The latest variant of GravityRAT, as uncovered by ESET, has specifically targeted WhatsApp backups as a means of unauthorized access. By exploiting vulnerabilities within the popular messaging platform, the malware aims to extract a wealth of personal information from unsuspecting victims. To facilitate their malicious activities, the operators of the malware have repurposed the messaging apps BingeChat and Chatico as vehicles for distribution. These apps are being utilized to spread the malicious payload while disguising their true intentions.
The trojanized BingeChat app, designed to resemble a legitimate messaging and file-sharing service, can be downloaded from a dedicated website. On the other hand, the Chatico app, which was once active, is no longer operational. The campaign appears to be highly targeted, with the attackers expecting specific victims to visit the website based on factors such as IP address, geolocation, custom URL, or specific timeframes.
Upon successful compromise, the malware extracts unencrypted WhatsApp backup files, granting the attackers complete access to a user’s messages, photos, videos, documents, and other media items stored within the backup file. ESET has issued a warning stating that the app is delivered through “bingechat[.]net” and potentially other domains or distribution channels. However, access to the download is invite-based, making it challenging for researchers to obtain copies for analysis.
The operators of GravityRAT have demonstrated a consistent pattern of using chat apps to propagate their malicious payloads. In previous instances, they utilized apps like ‘SoSafe’ and ‘Travel Mate Pro’ to promote malicious Android APKs. ESET’s analysis has also revealed that the trojanized BingeChat app is, in fact, a modified version of OMEMO IM, a legitimate open-source instant messenger app for Android. These connections between GravityRAT, OMEMO IM, and the fake app named “Chatico” illustrate the sophisticated tactics employed by the SpaceCobra group.
The sources for this piece include an article in InfoSecurityMagazine.