ESET researchers have discovered a new Android version of the GravityRAT spyware hiding in infected versions of the messaging apps BingeChat and Chatico. In the case examined, the malicious app steals WhatsApp backups and can also delete files on the devices. In order not to immediately attract attention, the app offers legitimate chat functionality based on the open source application OMEMO Instant Messenger. ESET suspects the SpaceCobra group is behind this campaign, which has been active since August 2022.

Use in targeted attacks

The malicious BingeChat app is distributed through a website that requires registration and is likely to open only when the attackers expect specific victims to visit. “We found a website that was supposed to deliver the malicious app after tapping the DOWNLOAD APP button. However, visitors must register for this. However, we had no login details and registration was closed. We assume that operators only provide registration when they expect a specific victim to visit. The potential targets may need a specific IP address, geolocation, custom URL, or need to visit the website at a specific time,” says ESET researcher Lukas Stefanko. The app was never made available on the Google Play Store.

The compromised Chatico app targeted a user in India. Overall, the ESET researchers suspect that the campaign is very targeted and that it attacks carefully selected targets.

Actors behind the campaign unclear

The group behind the malware remains unknown. Facebook researchers and experts at Cisco Tales attribute GravityRAT to a group based in Pakistan. ESET monitors these under the name SpaceCobra and attributes both the BingeChat and Chatico campaigns to this group.

As part of the apps' legitimate functionality, they provide account creation and login options. Before the user logs into the app, GravityRAT begins interacting with its C&C server, stealing the device user's data and waiting for commands to be executed. GravityRAT is capable of searching and exfiltrating call logs, contact lists, SMS messages, device location, basic device information, and files with specific extensions for images, photos, and documents. This version of GravityRAT has two small updates compared to previous, publicly known versions of GravityRAT: exfiltration of WhatsApp backups and receipt of file deletion commands.

The complete analysis is available on WeLiveSecurity: https://www.welivesecurity.com/deutsch/2023/06/15/whatsapp-backups-im-visor-von-android-gravityrat

Source:

Eset
Already read? Have you ever heard that the water in the bathtub or sink flows in different directions depending on the part of the world? Water is said to flow counterclockwise in the Northern Hemisphere and clockwise in the Southern Hemisphere. The supposed reason for this? The Coriolis force! But is that really true? Mimikama does the fact check: Water myth put to the test: The truth about the Coriolis force


If you enjoyed this post and value the importance of well-founded information, become part of the exclusive Mimikama Club! Support our work and help us promote awareness and combat misinformation. As a club member you receive:

📬 Special Weekly Newsletter: Get exclusive content straight to your inbox.
🎥 Exclusive video* “Fact Checker Basic Course”: Learn from Andre Wolf how to recognize and combat misinformation.
📅 Early access to in-depth articles and fact checks: always be one step ahead.
📄 Bonus articles, just for you: Discover content you won't find anywhere else.
📝 Participation in webinars and workshops : Join us live or watch the recordings.
✔️ Quality exchange: Discuss safely in our comment function without trolls and bots.

Join us and become part of a community that stands for truth and clarity. Together we can make the world a little better!

* In this special course, Andre Wolf will teach you how to recognize and effectively combat misinformation. After completing the video, you have the opportunity to join our research team and actively participate in the education - an opportunity that is exclusively reserved for our club members!


Notes:
1) This content reflects the current state of affairs at the time of publication. The reproduction of individual images, screenshots, embeds or video sequences serves to discuss the topic. 2) Individual contributions were created through the use of machine assistance and were carefully checked by the Mimikama editorial team before publication. ( Reason )