Tuesday, December 24, 2024
HomeCyber Security NewsAndroid GravityRAT Spyware Steals WhatsApp Backup Files

Android GravityRAT Spyware Steals WhatsApp Backup Files

Published on

SIEM as a Service

Since August 2022, a recently discovered Android virus named “GravityRAT” has rapidly circulated through a new Android malware campaign. 

It gains access to phones by disguising itself as a fraudulent chat app called ‘BingeChat‘ in order to steal users’ sensitive data.

- Advertisement - SIEM as a Service
BingeChat

ESET researcher Lukas Stefanko discovered that the latest version of GravityRAT now steals WhatsApp backup files.

The creation of WhatsApp backups is intended to facilitate the migration of users’ message history, media files, and data to different or new devices.

While it’s crucial to be aware that these backups may include unencrypted sensitive data like:-

  • Text
  • Video
  • Photos
  • Documents

Technical analysis

Since 2015, GravityRAT has been active and in operation, but it shifted its focus to Android devices in 2020 for the very first time.

The spyware is exclusively utilized by ‘SpaceCobra,’ its operators, for selected operations with specific targets.

The spyware disguises itself as a chat application called ‘BingeChat,’ which claims to offer:-

  • End-to-end encryption
  • A user-friendly interface
  • Advanced functionalities
powerful features

The delivery of the app occurs through the website “bingechat[.]net” or other available platforms.

However, downloading it requires an invitation, prompting visitors to register a new account or provide sensitive data like credentials.

download

Presently, registrations are closed, and this method is employed solely for the purpose of targeting specific people with the distribution of malicious apps.

In 2021, the operators of GravityRAT once again employed the tactic of promoting malicious Android APKs to their targets.

This time, they utilized a chat app called ‘SoSafe,’ while a previous app named ‘Travel Mate Pro‘ was used before that.

Stefanko discovered that the app is a modified version of OMEMO IM, which is an authentic open-source instant messaging application for Android but is now infused with a trojan.

It was revealed by an ESET analyst that SpaceCobra employed a fraudulent app called “Chatico.”

This app was distributed to targeted individuals through the website “chatico.co[.]uk” during the summer of 2022.

Permissions asked

Upon installation on the target’s device, BingeChat requests permissions that pose potential risks. The permissions include access to the following:-

  • Contacts
  • Location
  • Phone
  • SMS
  • Storage
  • Call logs
  • Camera
  • Microphone

As instant messaging apps commonly require these permissions, they are unlikely to trigger suspicion or seem strange to the targeted individual.

When a user attempts to register on BingeChat, the app transfers the following details automatically to a C2 server operated by the threat actor:-

  • Call logs
  • Contact lists
  • SMS messages
  • Device location
  • Basic device information

As a safety measure, it is advised that users must avoid downloading any APKs from other unknown or unreliable sources.

Additionally, it is important to exercise caution and be vigilant regarding app permissions during installation.

Looking For an All-in-One Multi-OS Patch Management Platform – 

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...

Malicious Apps On Amazon Appstore Records Screen And Interecpt OTP Verifications

A seemingly benign health app, "BMI CalculationVsn," was found on the Amazon App Store,...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Node.js systeminformation Package Vulnerability Exposes Millions of Systems to RCE Attacks

A critical command injection vulnerability in the popular systeminformation npm package has recently been disclosed, exposing...

Skuld Malware Using Weaponized Windows Utilities Packages To Deliver Malware

Researchers discovered a malware campaign targeting the npm ecosystem, distributing the Skuld info stealer...

BellaCiao, A new .NET Malware With Advanced Sophisticated Techniques

An investigation revealed an intrusion in Asia involving the BellaCiao .NET malware, as the...