GravityRAT, The Android Malware Threat Exploiting WhatsApp Backups

GravityRAT, The Android Malware Threat Exploiting WhatsApp Backups

Premium Content

Subscribe to Patreon to watch this episode.
Reading Time: 3 Minutes

Since August 2022, a dangerous Android malware campaign has been spreading the latest version of GravityRAT, infecting mobile devices with a trojanized chat app called BingeChat. This insidious malware aims to steal valuable data from unsuspecting victims. Lukas Stefanko, a researcher from ESET, analyzed a sample of the malware after receiving a tip from MalwareHunterTeam. Among the new additions observed in the latest version of GravityRAT is the capability to pilfer WhatsApp backup files.

WhatsApp backups are designed to assist users in transferring their message history, media files, and data to new devices. However, these backups often contain sensitive information, including unencrypted text, videos, photos, documents, and more. GravityRAT, which has been active since at least 2015 but only started targeting Android in 2020, is exclusively employed by its operators, known as ‘SpaceCobra,’ in narrow and targeted operations.

Android campaign

The ongoing Android campaign utilizes the deceptive app ‘BingeChat,’ which masquerades as an end-to-end encrypted chat application boasting a straightforward interface and advanced features. ESET reports that the malicious app is distributed primarily through the domain “bingechat[.]net” and potentially other domains or distribution channels. However, downloading the app requires an invitation-based system, where visitors must provide valid credentials or register a new account. This method enables the attackers to exclusively distribute the malicious app to their intended targets, complicating the efforts of researchers seeking access for analysis.

Website spreading GravityRAT (BleepingComputer)

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

GravityRAT’s operators have previously employed similar tactics to promote malicious APKs, such as the chat apps ‘SoSafe’ and ‘Travel Mate Pro’ in 2021. Lukas Stefanko discovered that BingeChat is a trojanized version of OMEMO IM, a legitimate open-source instant messenger app for Android. Further investigation by ESET’s analysts revealed that SpaceCobra based another fake app named “Chatico” on OMEMO IM, which was distributed to targets during the summer of 2022 via the now-defunct “[.]uk” website.

Generic operational diagram (ESET)


BingeChat requests extensive permissions upon installation on the target’s device, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. These permissions are typical for instant messaging apps, making them unlikely to raise suspicions or appear abnormal to victims. However, before users register on BingeChat, the app secretly sends call logs, contact lists, SMS messages, device location, and basic device information to the threat actor’s command and control (C2) server.

Data exfiltration from the victim’s device (ESET)

Additionally, the malware steals media and document files of various types, including jpg, jpeg, log, png, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18, and crypt32. Notably, the crypt file extensions correspond to WhatsApp Messenger backups, highlighting the attackers’ interest in harvesting this valuable data.

GravityRAT has introduced another alarming feature in its latest version: the ability to receive commands from the C2 server to “delete all files” of a specified extension, “delete all contacts,” and “delete all call logs.” While SpaceCobra’s campaigns tend to focus primarily on India and are highly targeted, it is crucial for all Android users to exercise caution. Avoid downloading APKs from sources outside of Google Play and remain vigilant when granting permissions during app installations to minimize the risk of falling victim to malware attacks.

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote:


Source Link

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

The post GravityRAT, The Android Malware Threat Exploiting WhatsApp Backups first appeared on Black Hat Ethical Hacking.

About The Author