ESET researchers have discovered an updated version of the Android-based GravityRAT spyware distributed as messaging apps BingeChat and Chatico.

ISTANBUL (IGFA) – Cybersecurity company ESET has analyzed an updated version of Android GravityRAT spyware that steals WhatsApp backup files and can receive commands to delete files.

GravityRAT, a remote access tool used in attacks targeting users in India, has versions for Windows, Android, and macOS. It is unknown who is behind GravityRAT; ESET Research follows the group known as SpaceCobra. The BingeChat campaign, which has probably been running since August 2022, is still running. In the newly discovered campaign, GravityRAT can infiltrate WhatsApp backups and receive commands to delete files. The malicious apps also provide legitimate chat functionality found in the open source OMEMO Instant Messenger app.

ESET researcher Lukáš Štefanko, who researches malware, stated that after tapping the “DOWNLOAD APPLICATION” button, they found a website that was sending malicious applications, but required visitors to log in. We believe that operators’ registrations are opened only when they expect a particular victim, possibly from a particular IP address, geolocation, custom URL, or within a specific time frame. While we were unable to download the BingeChat app from the website, we were able to find a distribution URL on VirusTotal.” “The malicious application is not accessible through the Google Play Store,” he said.

POTENTIAL VICTIMS ARE THE TARGET

The group behind the malware remains unknown, although Facebook researchers have linked GravityRAT to a Pakistani group, as previously predicted by Cisco Talos. ESET monitors this group as SpaceCobra.

BingeChat and Chatico link their campaigns to this group.

As part of the app’s legitimate functionality, an account creation and login option is provided. Before the user logs in to the application, GravityRAT communicates with the C&C server to leak the user data from the device and wait for the commands to be executed.

GravityRAT can infiltrate call logs, contact list, text messages, device location, basic device information and files with specific extensions for images, photos and documents.

This version of GravityRAT has two updates over known previous versions of GravityRAT: infiltrating WhatsApp backups and getting commands to delete files.

Source: Haber Safir

Alice

Alice Smith is a seasoned journalist and writer for Div Bracket. She has a keen sense of what’s important and is always on top of the latest trends. Alice provides in-depth coverage of the most talked-about news stories, delivering insightful and thought-provoking articles that keep her readers informed and engaged.