WhatsApp users should pay close attention to what they download on their Android smartphones. ESET researchers have detected a new Android version of GravityRAT spyware hiding in infected versions of BingeChat and Chatico messaging apps. Since SMEs in particular also like to use private smartphones including WhatsApp, caution is called for.
In the case under investigation, the malicious app steals WhatsApp backups and can also delete files on the devices. In order not to be immediately noticed, the app offers legitimate chat functionality based on the open-source application OMEMO Instant Messenger. ESET suspects the SpaceCobra group behind this campaign, which has probably been active since August 2022.
Used in targeted attacks
The malicious BingeChat app is distributed via a website that requires registration and is likely to be opened only when the attackers expect certain victims to visit it. "We found a web page that should provide the malicious app after tapping the DOWNLOAD APP button.
However, visitors must register for this. However, we had no login details and registration was closed. We assume that the operators provide registration only when they expect a specific victim to visit. Potential targets may need a specific IP address, geolocation, custom URL, or need to visit the website at a specific time,” says ESET researcher Lukas Stefanko. The app was never made available on the Google Play Store.
The rigged Chatico app targeted a user in India. Overall, the ESET researchers suspect that the campaign is very targeted and that carefully selected targets are being attacked.
Actors behind the campaign unclear
The group behind the malware remains unknown. Facebook researchers and Cisco Tales experts attribute GravityRAT to a Pakistan-based group. ESET monitors these under the name SpaceCobra and traces both the BingeChat and Chatico campaigns to this group.
As part of the legitimate functionality of the apps, they offer account creation and sign-up options. Before the user logs into the app, GravityRAT starts interacting with its C&C server, stealing the device user's data and waiting for commands to be executed. GravityRAT is able to search and exfiltrate call logs, contact lists, SMS messages, device location, basic device information and files with specific extensions for images, photos and documents. This version of GravityRAT has two small updates compared to previous publicly known versions of GravityRAT: exfiltration of WhatsApp backups and receiving commands to delete files.
B2B CYBER SECURITY asked chat GPT for GravityRAT
Here's what ChatGPT wants to know about GravityRAT.
More at ESET.com
About ESET ESET is a European company with headquarters in Bratislava (Slovakia). ESET has been developing award-winning security software since 1987 that has already helped over 100 million users enjoy secure technology. The broad portfolio of security products covers all common platforms and offers companies and consumers worldwide the perfect balance between performance and proactive protection. The company has a global sales network in over 180 countries and branches in Jena, San Diego, Singapore and Buenos Aires. For more information, visit www.eset.de or follow us on LinkedIn, Facebook and Twitter.