Android GravityRAT malware now steals your WhatsApp backups

Since August 2022, a new Android malware campaign has been active, spreading the latest version of GravityRAT. This malware infects mobile devices by disguising itself as a trojanized chat app called ‘BingeChat’ and aims to steal data from the victims’ devices.

ESET researcher Lukas Stefanko analyzed a sample of this malware after receiving a tip from the MalwareHunterTeam. One of the notable additions observed in the latest version of GravityRAT is its ability to steal WhatsApp backup files.

WhatsApp backups are created to facilitate users in transferring their message history, media files, and data to new devices. However, these backups can contain sensitive information such as text, videos, photos, documents, and more, all of which are stored in an unencrypted format.

It is important to remain vigilant and take appropriate security measures to protect your Android device from such malware campaigns, as they pose a risk to the privacy and security of your personal data.

GravityRAT, a spyware that has been active since at least 2015, expanded its targeting to Android devices in 2020. The operators behind the spyware, known as ‘SpaceCobra,’ exclusively utilize it for specific and focused surveillance operations.

The spyware is distributed under the guise of a chat app called ‘BingeChat,’ which claims to offer end-to-end encryption and a user-friendly interface with advanced features.

According to ESET, the malicious app is primarily delivered through the domain “bingechat[.]net,” and potentially other domains or distribution channels. However, access to the download is invite-based, requiring users to provide valid credentials or register a new account.

While the registration is currently closed, this method allows the operators to specifically target individuals for the distribution of the malicious app. It also poses challenges for researchers trying to obtain a copy of the app for analysis.

In 2021, GravityRAT’s operators employed a similar tactic of promoting malicious Android APKs through a chat app named ‘SoSafe.’ Prior to that, they used another app called ‘Travel Mate Pro.’

During his analysis, Lukas Stefanko from ESET discovered that the ‘BingeChat’ app is a modified version of OMEMO IM, a legitimate open-source instant messenger app for Android.

Further investigation by ESET’s analyst revealed that SpaceCobra had previously used OMEMO IM as the basis for another fraudulent app called “Chatico.” This app was distributed to targets in the summer of 2022 through the now-offline domain “chatico.co[.]uk.”

GravityRAT capabilities

Upon installation on the target device, BingeChat requests permissions that pose potential risks to the user’s privacy and security. These permissions include access to contacts, location, phone, SMS, storage, call logs, camera, and microphone.

These permissions are commonly requested by instant messaging apps, making them appear normal and unlikely to raise suspicions among victims.

Before users register on BingeChat, the app sends various data, such as call logs, contact lists, SMS messages, device location, and basic device information, to the command and control (C2) server controlled by the threat actor.

Furthermore, BingeChat steals media and document files with specific file extensions, including jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32. The “crypt” file extensions are associated with WhatsApp Messenger backups, as mentioned earlier.

Another noteworthy capability of GravityRAT is its ability to receive commands from the C2 server. These commands include “delete all files” of a specified extension, “delete all contacts,” and “delete all call logs.”

While SpaceCobra’s campaigns primarily target India and are highly focused, it is crucial for all Android users to exercise caution. Avoid downloading APKs from sources other than Google Play and be wary of risky permission requests when installing any app to protect your privacy and security.