SecurityBrief Asia - Technology news for CISOs & cybersecurity decision-makers
Asia
Guides
#
cloud security
#
cybersecurity
#
endpoint protection
#
firewall
#
ransomware
Search
Story image
#
Cybersecurity
#
Malware
#
Smartphones
ESET: WhatsApp backups using Android spyware GravityRAT
Fri, 16th Jun 2023
Author image
By Kaleah Salmon, Journalist
Follow us

ESET researchers have identified an updated version of the Android-based GravityRAT spyware being distributed as the messaging apps BingeChat and Chatico, believed to be targeting specific India users. 

GravityRAT is a remote access tool previously used in targeted attacks against users in India, with Windows, Android, and macOS versions available. 

The actor behind GravityRAT remains unknown, although ESET Research tracks the group known as SpaceCobra. 

Most likely active since August 2022, the BingeChat campaign is still ongoing. GravityRAT can exfiltrate WhatsApp backups in the newly discovered campaign and receive commands to delete files.

The malicious apps also provide legitimate chat functionality based on the open-source OMEMO Instant Messenger app.

Just as in previously documented SpaceCobra campaigns, the Chatico campaign targeted a user in India. 

The BingeChat app is distributed through a website that requires registration, likely open only when the attackers expect specific victims to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe. 

ESET researchers believe In any case; the campaign is very likely highly targeted.

Lukáš Štefanko, the ESET researcher who investigated the malicious apps, says: “We found a website that should provide the malicious app after tapping the DOWNLOAD APP button; however, it requires visitors to log in.” 

“We didn’t have credentials, and registrations were closed.” 

“It is most probable that the operators only open registration when they expect a specific victim to visit, possibly with a particular IP address, geolocation, custom URL, or within a specific timeframe.”

“Although we couldn’t download the BingeChat app via the website, we were able to find a distribution URL on VirusTotal,” says Lukáš Štefanko, ESET researcher.

ESET Research does not know how potential victims were lured to or otherwise discovered the malicious website. Considering that downloading the app is conditional on having an account and new account registration was not possible during the investigation, ESET believes that potential victims were specifically targeted.  

The group behind the malware remains unknown, even though Facebook researchers attribute GravityRAT to a group based in Pakistan, as previously speculated by Cisco Talos. 

As part of the app’s legitimate functionality, it provides options to create an account and log in. Before the user signs into the app, GravityRAT starts to interact with its C&C server, exfiltrating the device user’s data and waiting for commands to execute. 

GravityRAT is capable of exfiltrating call logs, contact lists, SMS messages, device location, basic device information, and files with specific extensions for pictures, photos, and documents. 

This version of GravityRAT has two minor updates compared to previous, publicly known versions of GravityRAT: exfiltrating WhatsApp backups and receiving commands to delete files.

The malicious app has never been made available in the Google Play store.

Related stories
Smarttech247 & SentinelOne launch AI-powered cybersecurity for SMEs
GitHub's 2FA initiative helps secure software supply chain
ExtraHop report shows Singapore firms vulnerable to ransomware attacks
Jason Haddix joins Flare as Field Chief Information Security Officer
Ransomware threats escalating in Southeast Asia – report
Top stories
Zscaler introduces enhanced ZDX service for improved IT operations
The importance of cybersecurity training for software developers
HID acknowledged as Leader in Gartner Magic Quadrant for Indoor Location Services
Exclusive: How Darktrace is tackling AI-driven cybersecurity
Record ransomware attacks in March 2024, report finds