Heads up, Android users! The latest GravityRAT malware variant now targets Android devices and steals WhatsApp chat backups. The malware reaches the devices by posing as a chat app. Again, this highlights the essentiality of downloading only known apps from trusted sources.
GravityRAT Android Malware Steals WhatsApp Backups
According to a recent report from ESET, a new GravityRAT malware variant has been actively targeting Android devices.
GravityRAT is a spyware known since 2015 as a potent remote access trojan targeting Windows, macOS, and Android systems. It has run numerous malicious campaigns with different iterations, each bearing more advanced malicious capabilities.
The recent GravityRAT variant targets Android devices and steals various files, including WhatsApp backups. To achieve this goal, the threat actors rolled out “BingeChat,” – a supposed chat app. The app offers numerous attractive features, including end-to-end encryption, voice chats, file sharing, an easy user interface, and free availability to lure users.
To further instigate curiosity and add a sense of legitimacy to the app, the threat actors have restricted the app download to an “invite-only” mode with registration requirements. This seemingly prevents the app analysis from potential researchers and ensures a targeted victim base.
Apparently, the app functions usually because the threat actors have developed it on the open-source Android messenger OMEMO IM. That’s how it avoids alarming users about the embedded GravityRAT malware in this trojanized app.
After being downloaded and installed, the app requests risky permissions, which any legit messaging app would request. These include access to SMS messages, contact lists, call logs, location, and device details. Once obtained, the app transmits all this information to the attackers’ C&C.
Alongside these capabilities, the new GravityRAT malware hidden inside the BingeChat app also receives commands regarding file deletion, call log deletion, and contact list deletion. Moreover, it steals files with various extensions, including crypt14, crypt12, crypt13, and crypt18 extensions that often represent WhatsApp chat encrypted backups.
SpaceCobra Identified As Possible Attacker
The researchers have shared a detailed technical analysis of this malware and the BingeChat campaign in their report.
For now, the exact identity of the threat actors behind this malware remains unknown. But ESET names the “SpaceCobra” group as the one behind GravityRAT.
While the recent campaign seemingly continues, it remains unclear how the attackers manage to reach their potential target users. That’s because the app doesn’t exist on the Google Play Store, which suggests that the attackers may be approaching their potential victims through other means, luring them into downloading the app from their domain.
Yet, the one thing that always saves users from such threats is to avoid downloading apps and clicking on links from unknown and untrusted sources.
Let us know your thoughts in the comments.