News

GravityRAT trojan steals WhatsApp backups and deletes files

Security Parrot Editorial Team

GravityRAT Android Trojan Updated to Steal WhatsApp Backups

Researchers have discovered an updated version of the GravityRAT remote access Android trojan. Since the summer of 2022, the malware has been disguised as BingeChat and Chatico messengers, trying to steal data from users’ devices.

Background of GravityRAT

The GravityRAT Trojan has been active since at least 2015, but first started targeting Android users in 2020. Its operators, the SpaceCobra faction, typically use GravityRAT as spyware in highly targeted campaigns.

New Features of GravityRAT

According to ESET researchers who analyzed a sample of the updated malware after a tip from MalwareHunterTeam, one of the notable new updates in GravityRAT is the functionality to steal WhatsApp backup files. Backups are created to help users transfer their message history, media, and data to new devices and may contain sensitive data, including messages, videos, photos, documents, and more, in unencrypted form.
The Trojan is currently distributed under the name BingeChat, posing as a messaging application with end-to-end encryption, a simple interface, and rich functionality. ESET says the app is being delivered via bingechat[.]net, but there may be other domains or distribution channels. At the same time, downloading malware is available only by invitation, that is, the user must enter valid credentials or register a new account.
Although registration is currently closed, this approach allows hackers to distribute malicious applications only to the people they need. It also makes it difficult for researchers to access malware for analysis.
Analysts write that BingeChat is a trojanized version of OMEMO IM, a legitimate open source messenger for Android. Moreover, in the course of studying this campaign, it turned out that SpaceCobra uses OMEMO IM and as the basis for another fake application – Chatico, which was distributed among the victims in the summer of 2022, through already disabled site chatico.co[.]uk.
When installed on a device, BingeChat asks for dangerous permissions, including access to contacts, location, phone, SMS, storage, call logs, camera, and microphone. Alas, as the researchers note, these are standard permissions for instant messengers, so they are unlikely to arouse suspicion in the victim.
Before a user registers with BingeChat, the app transmits call logs, contact lists, SMS messages, device location, and basic device information to the attackers’ control server.
In addition, multimedia files and documents in jpg, jpeg, log, png, PNG, JPG, JPEG, txt, pdf, xml, doc, xls, xlsx, ppt, pptx, docx, opus, crypt14, crypt12, crypt13, crypt18 and crypt32 are stolen. The crypt* extensions correspond to the WhatsApp copies mentioned above.
Another interesting new GravityRAT feature that experts note is the ability to receive three commands from the control server: “delete all files” (with the specified extension), “delete all contacts” and “delete all call logs”.
While SpaceCobra’s campaigns are usually targeted at specific people and targeted at India, the researchers are reminding all Android users to be vigilant and to only download apps from official stores.

Weekly Updates For Our Loyal Readers!

Share this Article
Lost your password?